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[  FROM  THE  EDITOR] 


Creative 

Audacity 

Last  month  I  wrote  about  innovation  in  the 
face  of  economic  adversity.  Let’s  take  it  a 
step  further. 

“Creative  audacity.”  That’s  my  favorite 
phrase  from  this  year’s  CSO  Perspectives 
conference,  courtesy  of  Dennis  Treece. 

Treece  is  the  Director  of  corporate 
Security  for  Massport,  the  Massachusetts  Port 
Authority,  which  oversees  Boston’s  Logan 
International  Airport  and  a  variety  of  bridges 
and  ports.  At  CSOP,  he  spoke  on  the  topic  of 
leadership,  talking  about  the  “spark"  that 
makes  some  people-you-want  to  take  the 
helm,  to  take  charge,  to  accept  accountability, 
to  help  other  work  effectively  and  together  to 
make  things  happen. 

And  that  same  spark  makes  you  want  to 
continue  to  lead  after  the  sheen  of  glory  or 
attention  or  praise  has  worn  away  and  the 
headaches  and  responsibilities  of  leader¬ 
ship  have  made  themselves  abundantly  clear. 
Which  is  what  this  type  of  economic  situation 
does  so  very  well.  Treece’s  point  was  that  it’s 
not  sufficient  to  “manage”  through  a  crisis; 
great  leadership  manifests  itself  in  radical 
solutions,  new  approaches  and  a  rather  hard- 
headed  insistence  on  not  just  scraping  by. 

Whatever  you  are  tasked  to  protect- 
buildings,  networks,  people,  data,  intellectual 
property-odds  are  you  now  are  asked  to  pro¬ 
tect  it  with  fewer  resources.  The  temptation 
is  always  to  respond:  If  you  give  us  20  percent 
less  to  work  with,  then  you’ll  get  20  percent 
less  protection.  Without  creative  audacity, 
that’s  all  you  can  deliver. 


His  point  was  echoed  in  the  Compass 
Award  winners’  panel  onstage.  Lynda  Fleury, 
assistant  VP  and  CISO  of  Unum,  mentioned 
that  her  organization  is  combing  through  their 
operational  budget,  looking  for  efficiency.  At 
first  blush,  that  sounds  like  an  accounting 
exercise.  Digging  a  little  deeper,  we  found 
it’s  really  about  brainstorming.  Creativity. 
Unum’s  budget  is  merely  a  guide  to  make  sure 
the  brainstorming  is  comprehensive,  that  no 
activity  escapes  from  scrutiny.  Can  processes 
actually  be  made  more  efficient  through  radi¬ 
cal  simplification?  Can  manpower  and  brain¬ 
power  be  shifted  from  a  lower-value  activity 
to  a  higher-value  task?  What  would  result 
if  work  were  reallocated  or  organizational 
charts  redrawn?  What  security  processes  have 
matured  enough  to  be  handed  off  to  business¬ 
line  employees?  Where  might  a  tweak  (or 
complete  remake)  of  security  systems  provide 


better  operational  payoff? 

If  you  were  walking  into  your  organization 
for  the  very  first  time,  how  would  you  set  it  up? 
Where  would  you  choose  to  spend  your  time 
and  money? 

Here’s  to  applying  audacious  creativity  to 
answering  those  questions  and  solving  your 
security  challenges. 

-Derek Slater,  dslater@cxo.com 
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PhaneFactor  adds  a  second  layer  of  security  -  an 
automated  phone  call  -  to  any  login.  Users 
simply  enter  their  username  and  password,  and 
instantly  they  get  a  call.  They  answer  and  press 
#  to  complete  their  login. 


“Even  if  a  hacker  has  your  password,  your  account 
remains  secure.”  -  New  York  Times 


►PhoneFactor 
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Try  PhoneFactor  for  FREE  at 
www.phonefactor.com/cso 
or  call  1.877. No. Token. 


[  FROM  THE  PUBLISHER  ] 


Who’s  to  Blame? 

The  newspapers  and  Web  (and  CSO  and 
CSOonline.com  for  that  matter)  are  full 
of  data  breach  stories  on  a  regular  basis. 
They  were  always  happening.  But  with 
the  spate  of  new  breach  notification  laws 
being  enacted,  we’re  beginning  to  see  them  on 
a  regular  basis.  There’s  an  interesting  debate 
going  on  in  security  circles  about  where  the 
blame  should  rest  when  a  business  suffers  a 
data  breach.  The  debate  goes  something 
like  this: 

A  customer  database  at  a  midsize  financial 
institution  is  broken  into  by  a  hacker.  The 
thief  gains  access  to  personally  identifiable 
information  on  1,000  high-net-worth  customer 
accounts-including  account  holder  names  and 
account  numbers,  Social  Security  numbers 
and  account  histories  going  back  three  years. 
On  the  same  day  that  the  breach  is  discovered, 
a  branch  of  the  bank  is  robbed  at  night.  The 
thieves  make  off  with  $125,000  in  cash. 

in  the  case  of  the  robbery,  the  bank  calls 
in  law  enforcement,  who  dust  for  fingerprints, 
review  surveillance  cameras  and  conduct  a 
thorough  investigation  into  the  robbery.  The 
bank  branch  is  closed  for  one  day  following  the 
robbery  and  then  reopens  to  normal  business. 
The  local  television  stations  have  a  quick  live 
shot  on  the  7  a.m.  and  noon  news  programs, 
and  then  the  story  fades  into  the  background. 
No  one  blames  the  bankfor  being  robbed. 

In  the  case  of  the  breach,  the  bank  must 
identify  the  customers  who  were  affected, 
notify  them  of  the  breach  and  perhaps  provide 
credit  monitoring  for  years.  The  bank  is 
subject  to  fines  and  sanctions  from  regulators 
and,  most  importantly,  to  significant  bad  press 
coverage.  Everyone  blames  the  bank  for  the 
data  breach. 


It  seems  that  there  is  a  blame  game  going 
on  here.  Think  about  it.  When  a  bank  is  robbed 
we  don’t  generally  blame  the  bank.  We  blame 
the  robber.  But  when  a  bank  has  a  data  breach, 
the  response  is  very  different.  Most  people 
blame  the  bank  for  the  incident.  Why?  I  don’t 
like  to  generalize,  but  financial  institutions 
typically  have  very  good  security,  both  IT  and 
physical.  So  the  question  is,  Are  we  accurately 
assigning  responsibility  for  the  myriad  data 
breaches  that  are  occurring  in  our  enterprises? 

If  we  are  properly  assigning  blame,  then 
why  do  the  impacts  of  breaches  seem  to 
have  greater  significance  than  those  of  bank 
robberies  or  common  thefts?  You  can  draw 
the  same  analogy  between  data  breaches  and 
muggings.  In  such  cases,  the  thefts  ultimately 
impact  an  individual.  We  don’t  blame  the 
person  who  was  robbed,  do  we?  We  blame  the 
mugger. 


Are  we  assigning  blame,  and  ultimately 
responsibility,  correctly?  Or,  is  this  a  basic 
problem  with  the  way  we  approach  informa¬ 
tion  security?  Let  me  know  what  you  think. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 
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Some  things  can  be  sacrificed,  but  your  cyber  security  isn't  one  of  them. 

It’s  a  matter  of  survival.  And  if  you’re  just  protecting  your  sensitive  data  at 
the  network  perimeter,  we’ve  got  news  for  you— your  software  is  seriously 
vulnerable  and  you  need  help.  Fast.  Fortify  delivers  the  only  preventative 
approach  to  software  security.  Reducing  the  risk  of  catastrophe  from  cyber 
attacks  and  helping  you  meet  tough  compliance  mandates.  Don’t  wait 
another  second,  contact  us  at  650-358-5600.  After  all,  when  it  comes  to  your 
security  who  can  afford  to  take  a  coffee  break  anyway? 
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BLOG  POST 

How  to  Write 

Non-Disclosure 

Agreements 

NDAs  are  used  in  several  situ¬ 
ations.  Most  notably,  NDAs 
are  used  at  the  inception 
of  a  relationship  to  ensure 
confidential  information 
disclosed  in  anticipation  of  a  potential 
business  relationship  is  adequately  pro¬ 
tected.  If  the  parties  decide  to  enter  into  a 
final  contract,  say  a  professional  services 
agreement,  following  their  initial  discus¬ 
sions,  the  NDA  would  be  replaced  by  the 
confidentiality  provisions  of  the  final  agree¬ 
ment.  In  the  foregoing  example,  an  NDA  is 
used  as  an  interim  agreement  to  ensure 
initial  discussions  are  protected  by  written 
confidentiality  obligations,  but  the  NDA  is 
not  intended  or  designed  to  be  used  on  an 
ongoing  basis.  Rather,  the  parties  contem¬ 
plate  that  the  NDA  will  “sunset”  when  they 
ultimately  sign  a  final  agreement  to  govern 
their  relationship  (e.g.,  a  master  license 
agreement,  ASP  agreement,  professional 
services  agreement,  etc.). 

NDAs  may  also  be  used  on  an  ongoing 
basis  for  employees,  contractors  and  others 
who  may  not  require  anything  more  sub¬ 
stantial  in  the  way  of  contractual  documen¬ 
tation  to  govern  their  relationship  with  the 
business,  but  this  is  generally  not  the  case. 

There  are  two  basic  types  of  NDAs:  one¬ 
way  and  two-way.  One-way  NDAs  protect 
only  the  information  of  one  of  the  parties. 
These  are  generally  used  when  information 
will  be  flowing  in  only  one  direction.  Two¬ 


way  NDAs  are  designed  to  protect  the  con¬ 
fidential  information  of  both  parties. 

So  what  are  the  key  points  for  NDAs? 
Several  points  for  your  consideration: 

■  In  general,  avoid  requirements  that 
you  must  mark  information  as  “confiden¬ 
tial”  or  risk  losing  protection.  While  such 
a  requirement  may  be  workable  in  very 
limited  engagements,  this  requirement  is 
frequently  unrealistic  and  unlikely  to 

be  followed. 

■  Ensure  intellectual  property  dis¬ 
closed  by  a  party  is  adequately  protected 
(e.g.,  by  the  granting  of  a  limited  license 
to  use  the  intellectual  property  solely  in 
connection  with  exploring  the  proposed 
business  relationship).  Remember  that 
not  all  intellectual  property  is  necessar¬ 
ily  “confidential  information.”  An  NDA 
drafted  to  protect  only  “confidential  infor¬ 
mation”  may  not  adequately  protect  your 
intellectual  property. 


■  Except  in  limited  circumstances, 
NDAs  should  not  be  used  as  a  final,  ongo¬ 
ing  agreement.  Rather,  most  NDAs  should 
be  used  as  transitional  documents  in 
anticipation  of  the  negotiation  of  a  final, 
fully-fleshed  out  agreement  containing  its 
own  confidentiality  clause. 

■  While  most  NDAs  have  defined 
terms  (e.g.,  three  to  five  years),  ensure  that 
trade  secrets,  personally  identifiable  con¬ 
sumer  information  and  other  highly  sensi¬ 
tive  information  remain  protected  on  an 
ongoing  basis.  In  particular,  some  courts 
have  found  that  trade  secrets  disclosed 
under  an  NDA  that  has  a  defined  term  will 
lose  their  trade  secret  status  forever  at  the 
end  of  that  term. 

■  Ensure  the  scope  of  the  NDA  is 
not  overbroad,  but  includes  all  desired 
purposes  for  which  the  information  is 
disclosed. 

■  Most  NDAs  impose  an  obligation  to 
return  or  destroy  confidential  information 
disclosed  by  the  other  party  at  the  end  of 
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A  Real  Dumpster 
Dive:  Bank  Tosses 
Checks,  Laptops 


Think  banks  are  properly  disposing 
of  your  sensitive  data?  Think  again. 
Security  consultant  Steve  Hunt 
headed  to  the  nearest  bank's  trash 
bin.  In  three  minutes  he  found 
checks,  copies  of  bank  account 
numbers  and  even  a  laptop. 
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the  term  or  on  termination.  While  this 
is  not  an  objectionable  requirement,  the 
language  should  be  revised  to  ensure  the 
receiving  party  may  retain  such  docu¬ 
mentation  as  is  necessary  to  satisfy  any 
document  retention  obligations  imposed 
on  them  by  law  and  to  ensure  the  receiving 
party  is  not  compelled  to  remove  or  delete 
information  when  it  is  commercially 
impracticable  to  do  so  (e.g.,  removing 
e-mail  containing  confidential  information 
from  old  backup  tapes). 

-Michael  Overly 

BLOG  POST 

Back  to  Ethics 

What  happened  in 
Washington,  D.C., 
(city)  government 
under  Yusuf  Acar 
as  CSO  over  the 
past  few  years?  Almost  everyone  involved 
in  government  technology  in  the  nation, 
along  with  a  few  others  in  the  FBI,  want 
to  find  out  the  answer  to  that  question. 
What  we  do  know  is  that  Vivek  Kundra, 
President  Obama’s  brand-new,  first 
ever,  Federal  CIO  has  taken  a  leave  of 
absence. 

Could  this  very  talented  leader  be 
in  serious  trouble?  This  blogger  hopes  not. 
But  one  lesson  is  already  clear— Web  2.0, 
government  2.0,  cloud  computing  or  any 
other  techno-sawy  change  must  be  built 
on  a  foundation  of  rock-solid  professional 
ethics. 

Regardless  of  what  happens  next  in  this 
situation,  this  incident  already  provides 
some  great  reminders  for  every  security 
professional  out  there.  The  main  message 
is  that  unethical  behavior  must  be  stopped 
and  dealt  with,  or  other  great  achievements 
will  be  undermined.  Ethical  behavior  must 
be  a  top  priority. 

No  matter  how  good  your  staff  is  at  tech¬ 
nical  tasks,  are  they  trustworthy?  I  have 
found  that  some  of  the  best  and  brightest 
are  also  the  most  tempted  to  violate  policy. 
As  I  describe  at  length  in  my  book,  we  all 
face  temptations  online.  There  are  steps  we 
can  take  to  protect  ourselves,  our  govern¬ 
ments,  our  businesses,  our  careers  and  our 
families.  Most  of  us  run  background  checks 
on  staff,  but  that  is  often  not  enough.  Note: 


my  earliest  blogs  spend  significant  time  dis¬ 
cussing  cyberethics  in  the  office. 

We  must  trust,  but  verify.  No  one  is 
above  the  law.  Listen  to  complaints  from 
people  who  claim  that  security  staff  or  sys¬ 
tems  administrators  flaunt  their  authority 
or  access.  Security  professionals  need  to  be 
above  reproach,  or  all  the  technical  controls 
in  the  world  will  not  help.  Good  security 
involves  people,  process  and  technology. 

-  Dan  Lohrmann 
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LETTER 

TO  THE  EDITOR 

March  Issue 

Kudos, 

Corrections 

To  start  off  on  a  good  note,  I 
enjoyed  the  article  “Right  on 
Time”  [March  issue]  very 
much.  This  is  great  informa¬ 
tion  for  security  managers! 
Regarding  “Beating  Hackers  to  the 
Punch”:  the  article  focuses  solely  on  net¬ 
work  vulnerability  scanning,  [but]  the 
table  shows  application  source  code  scan¬ 
ning  vendors  such  as  Fortify.  This  incorrect 
addition  shows  that.. .the  author  blindly 
included  the  listing  without  actually  check¬ 
ing  the  products. 

Regarding  “IE  or  Firefox:  Which  is 
More  Secure?”:  Although  I  do  recognize 
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that  the  author  meant  for  this  to  be  an 
informal  article  comparing  the  two  largest 
browser  shareholders,  I  am  saddened  that 
the  browser  Chrome  was  not  mentioned  at 
all.  It  is  the  only  browser  that  was  designed 
from  the  ground  up  to  have  a  tight-knit 
security  architecture  with  process  sand¬ 
boxing  and  other  amazing  features.  For 
security  managers,  these  facts  should 
weigh  heavily  on  their  decision  for  what  to 
use.  I  don’t  think  Chrome  is  ready  for  enter¬ 
prise  deployment;  it  is  still  missing  some 
features  like  MSI  deployment  and  Active 
Directory  ADM  template  integration,  but  it 
is  a  contender  and  will  be  considered  in  my 
organization  for  full  enterprise  deployment 
once  it  gets  those  features. 

-Erik  Cabetas 


April  2009  www.csoonline.com  9 


RESTRICTED 
AREA 
KEEP  OUT 


•I.. ii>, 

CISCO 

PARTNER 


TREND 

MICRO™ 


Cisco®  ASA  5505  Adaptive 
Security  Appliance 


WatchGuard®  Firebox®  Core™  X550e 
UTM  Bundle 


Trend  Micro™  NeatSuite™  Advanced 


Secures  your  network  against  attacks  such  as 
worms,  viruses,  spyware,  keyloggers,  Trojan  horses, 
rootkits  and  hackers 

Combines  feature-rich  VPN  connectivity  with 
comprehensive  threat  defense  to  deliver 
cost-effective  remote  network  access 
Protects  users  accessing  the  network  from  a 
personal  or  public  PC  with  Cisco  Secure  Desktop 


VPN  endpoint  and  firewall  security  appliance 
Coordinates  multiple  internal  defense  layers  to 
enhance  protection  and  efficiency 
Intuitive  management  interface  provides  flexible 
networking  features  and  functionality  for  ease  of 
administration,  while  upgrading  to  Fireware®  Pro 
advanced  OS  allows  for  convenient  integration  of 
advanced  networking  feature  set 
Includes  application  proxy  firewall/VPN  appliance, 
one  year  of  Gateway  Antivirus/Intrusion  Prevention 
with  antispyware,  spamBlocker,  WebBlockerand 
extended  hardware  warranty,  threat  alerts  and 
technical  support 


•  Delivers  multi-layered,  multi-threat  protection 
in  a  single  gateway-to-endpoint  suite 

•  Protects  against  the  growing  threat  of 
Web-borne  attacks 

•  Provides  maximum  IT  efficiency  with  automatic 
updates,  centralized  management  console 
and  reporting 

•  Offers  high  scalability  and  extensive 
configuration  options 


51-250  user  license1  $59.99  CDW 1258918 


$1619" 


(V\^)atchGuard 


CDW  1065037 


CDW  973448 


Gold 

Certified 


We're  there  with  the  security  solutions  you  need. 

Security  threats  won't  get  on  your  network  if  they  can't  get  to  the  network.  That's  why  gateway  security  is 
so  important.  CDW  has  a  wide  selection  of  top-name  firewall  protection,  antivirus,  antispyware,  intrusion 
prevention  and  more.  Our  personal  account  managers  along  with  our  highly  trained  technology  specialists 
have  the  expertise  you  need  to  ensure  your  network  is  fortified  and  secure.  So  call  CDW  today.  And  eliminate 
threats  before  they  even  become  threats. 

CDW.com  800.399.4CDW 


'Licensing  requires  afninimum  purchase  of  five  licenses;  includes  one-year  Maintenance  (12x5  telephone  and  online  technical  support,  virus  pattern  updates 
and  product  version  upgrades).  Offer  subject  to  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 


The  Right  Technology.  Right  Away. 


“I  have  a  lot  of  policies,  but  I  don’t  run  a  police  state."  pagew 


Edited  by  Bill  Brenner 


Laid-Of  f  workers  as  Data  Thieves? 

REPORT  POINTS  TO  AN  OMINOUS  BY-PRODUCT  OF  THE  ECONOMIC  CRISIS: 

TERMINATED  EMPLOYEES  STEAL  DATA  IN  ACTS  OF  VENGEANCE 


A  report  from  security  vendor  Symantec 
and  the  Ponemon  Institute  suggests 
a  growing  crime  wave  where  laid-off 
workers  exact  vengeance  on  their  for¬ 
mer  employers  by  walking  out  the  door  with 
sensitive  customer  data  and  other  proprietary 
information. 

The  Ponemon  Institute  conducted  the 
Web-based  survey  in  January— polling  nearly 
1,000  Americans  who  left  an  employer  within 
the  last  year-and  found  that  59  percent  of  ex¬ 
employees  admit  to  stealing  confidential  com¬ 
pany  information,  such  as  customer  contact 
lists.  The  results  also  show  that  if  respondents’ 
companies  had  implemented  better  data  loss 
prevention  policies  and  technologies,  many 
instances  of  data  theft  probably  wouldn’t 
have  happened. 

Amongthe  survey  findings: 

■  53  percent  downloaded  information  onto  a 
CD  or  DVD;  42  percent  onto  a  USB  drive  and 
38  percent  sent  attachments  to  a  personal 
e-mail  account. 

■  79  percent  took  data  without  an  employer’s 
permission. 

■  82  percent  said  their  employers  did  not 
perform  an  audit  or  review  of  paper  or 
electronic  documents  before  the  respon¬ 
dent  left  his/her  job. 

■  24  percent  had  access  to  their  employer’s 
computer  system  or  network  after  their 
departure  from  the  company. 

“The  survey’s  findings  should  sound  the 
alarm  across  all  industries:  Your  sensitive  data 
is  walking  out  the  door  with  your  employees. 
Even  if  layoffs  are  not  imminent,  companies 
need  to  be  more  aware  of  who  has  access  to 


sensitive  business  information,”  Ponemon 
Institute  Founder  and  Chairman  Larry 
Ponemon  says. 

Added  Rob  Greer,  senior  director  of  prod¬ 
uct  management  for  data  loss  prevention 
solutions  at  Symantec:  “Data  loss  during 
downsizing  is  preventable.  We 
can  prevent  employees  from 
e-mailing  sensitive  content  to 
personal  Web  mail  accounts  or 
downloading  it  onto  USB  drives. 

He  said  companies  need  to 
implement  data  loss  prevention  technologies 
so  they  know  exactly  where  sensitive  data 
resides,  how  it  is  being  used  and  prevent  it 
from  being  copied,  downloaded  or  sent  out¬ 
side  the  company. 


While  security  profes¬ 
sionals  in  general  are 
bound  to  agree  with  those 
comments,  others  will 
likely  look  at  this  report 
with  skepticism-not 
because  the  findings  are 
off  the  wall,  but  because 
it’s  just  so  obvious.  (See 
related  column  at 
csoonline.com/ 
article/482095.) 

Disgruntled  employ¬ 
ees  have  always  been  a 
threat  to  businesses.  Of 
course  incidents  will  spike 
in  times  of  massive  layoffs1 
because  there  are  more 
angry  people  out  there. 

But  the  insider  threat 
is  an  old  problem.  One  could  also  argue  that 
laid-off  employees  aren’t  as  big  a  threat  as 
those  who  remain  on  the  inside  with  access  to 
data  that  they  can  sneak  off  to  black  marketers 
offering  cash  for  proprietary  data  one  can 
only  obtain  if  they’re  still  on  the  inside. 

If  enterprise  security  shops 
are  only  now  discovering  the 
insider  threat  and  the  need  for 
a  layered  defense  with  tighter 
access  controls,  they  may  well 
have  bigger  problems  than  the 
current  recession. 

Employees  with  an  ax  to  grind  were  around 
before  the  economic  collapse  and  they  will  be 
around  after  the  economy  recovers. 

-Bill  Brenner 
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>>  BRIEFING 


AWARENESS 

The  4  Security  Rules  Employees  Love  to  Break 


ost  CSOs  and  security 
managers  know  employ¬ 
ees  are  taking  risks 
everyday  that  could  set 
their  company  up  for  a  breach. 

What  are  some  of  the  biggest 
offenses  and  what  can  be  done  to 
nip  that  risky  behavior  in  the  bud? 
John  Stewart,  CSO  of  Cisco,  offers 
his  take  on  four  rules  people  love 
to  break  and  offers  advice  on  get¬ 
ting  them  to  stop. 

Allowing  “Tailgating” 
and  llnsupervised 
Roaming 

According  to  a  recent  Cisco  survey, 
more  than  one  in  five  German 
employees  allow  nonemployees 
to  roam  around  offices  unsuper¬ 
vised.  The  study  average  was  13 
percent.  And  18  percent  have 
allowed  unknown  individuals  to 
tailgate  behind  employees  into 
corporate  facilities.  The  reason, 
according  to  Stewart,  is  that 
confronting  people  who  may  be 
gaining  access  illegally  is  difficult 
for  people. 

“Globally,  tailgating  creates 
an  interesting  human  problem,” 
says  Stewart.  “You  are  walking 
into  a  building  and  you  may  have 
to  challenge  someone  to  prove 
that  they  have  the  right  to  be 
there.  This  is  uncomfortable 
for  a  great  number  of  people.  In 
certain  cultures,  it’s  insulting  and 
unacceptable.” 

Stewart  recommends  creat¬ 
ing  an  environment  that  makes 
it  hard  for  people  to  tailgate. 
Consider  signage  that  even  states 
that  tailgating  is  not  allowed. 

“When  there  are  signs  posted 
it  makes  it  easier  for  a  person  to 
ask  for  identification.  They  can 
say:  ‘The  company  makes  me 
do  this.’  It  diffuses  some  of  the 
tension.” 

Help  your  user  community  say 
in  a  very  obvious  way:  I  don’t  want 


to  have  to  do  this  but  I  have  to  do 
it,  says  Stewart. 

Adding  Unauthorized 
wireless  Access  Points 

At  Cisco,  the  process  of  dealing 
with  unauthorized  wireless  access 
points  is  known  as  ‘whack-a-mole,’ 
according  to  Stewart. 

That’s  because  they  pop  up  so 
frequently. 

Wireless  access  points  can  be 
needed  either  by  employees  look¬ 
ing  to  test  things  or  when  people 
who  don’t  normally  need  access 
suddenly  do. 

“You  could  end  up  in  a  meeting 
with  people  from  all  over  and  they 
all  need  the  Ethernet.  However, 
one  or  two  computers  might  not 
have  authentication  credentials 
to  get  on  corporate  wireless,  and 
then  someone  has  the  great  idea 
to  create  a  wireless  environment 
with  a  USB  stick.  Wireless  is  just 
that  easy.” 

While  most  employees  are  just 
looking  to  fill  a  need,  says  Stewart, 
the  unauthorized  access  point  is 


an  exposure. 

“You’ve  got  the  corporation 
at  risk,”  he  says.  “Tailgating  and 
wireless  access  points  are,  in 
many  ways,  the  exact  same  prob¬ 
lem.  You  are  potentially  allowing 
unauthorized  or  unexpected 
users  on  your  network.” 

Stewart  advises  having  a  clear 
and  consistent  policy  with  conse¬ 
quences.  Consistency  is  key. 

“If  the  consequences  aren’t 
severe,  most  people  won’t  take 
you  seriously.  Get  serious  about 
real  rules.  I  know  some  companies 
who  will  charge  the  department 
with  the  person  who  put  the  wire¬ 
less  access  point  on  the  network. 
The  bill  goes  to  the  manager  of 
the  person  that  did  it.  You  can 
imagine  how  that  plays  out.” 

Sharing  Corporate  or 
Sensitive  Information 
With  Unauthorized 
People 

According  to  Cisco  research,  one 
of  four  employees  (24  percent) 
admitted  to  verbally  sharing  sen¬ 


sitive  information  to  nonemploy¬ 
ees  such  as  friends,  family  or  even 
strangers. 

When  asked  why,  some  of  the 
most  common  answers  included, 

“I  needed  to  bounce  an  idea  off 
someone,”  “I  needed  to  vent” 
and  “I  did  not  see  anything  wrong 
with  it.” 

Stewart  thinks  that  compa¬ 
nies  need  to  educate  workers  to 
treat  corporate  information  like 
it’s  a  personal  secret. 

“You  don’t  want  people  know 
certain  things  about  yourself.  If 
there  is  something  really  personal 
you  would  rather  not  have  the 
world  know  about,  that  is  how  a 
company  feels,  too.  You  can  also 
equate  corporate  information 
with  money.  Keeping  sensitive 
information  secret  says,  ‘I’m  not 
going  to  share  my  money  with 
you.’” 

Putting  Sensitive  Data 
in  the  Wrong  Place 

This  could  mean  copying  or 
extracting  corporate  sensitive 
information  from  a  protected 
place  and  putting  it  on  a  handheld 
device.  It  could  also  mean  e-mail- 
ing  information  to  an  outside, 
noncorporate  e-mail  account. 
Whatever  the  scenario,  it  means 
that  sensitive  information  could 
get  in  the  wrong  hands,  especially 
if  it’s  on  a  portable  device  that 
gets  lost.  Cisco  research  found  22 
percent  of  employees  carry  cor¬ 
porate  data  on  portable  storage 
devices  outside  of  the  office. 

“If  you  instinctually  know  that 
the  work  environment  you  have  is 
causing  this,  figure  out  a  solution,” 
advises  Stewart. 

“If  an  employee  is  engaging  in 
this  behavior  say  to  them,  ‘Tell  me 
what  you’ve  got  to  do  that’s  forc¬ 
ing  you  to  do  this  and  let  us  figure 
out  a  way  to  solve  it.” 

-Joan  Goodchild 
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For  log-on  security,  forget 
passwords,  remember  HID. 


HID,  the  world  leader  in  physical  access  control 
can  now  prowide  secure  access  to  your  network. 
Ail  on  your  current  card. 


Passwords  have  long  been  used  as  a  means  of  log-on  security, 


but  an  easier,  more  reliable  way  to  control  access  to 
Windows®  is  the  same  way  you  do  with  your 
doors  -  with  HID  contactless  technology. 
You  don’t  have  to  re-badge.  It’s  ready  to  go 
from  day  one  with  the  same  credential. 
And  it’s  an  easy  transition  for  cardholders 
because  they’re  already  familiar  with  the  contactless 
technology.  Proven,  cost-effective,  simple  -  HID  is 
where  convenience  meets  security  on  the  desktop. 

Get  your  FREE  white  paper  at 
passwords.hidglohal.com 
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PHYSICAL  SECURITY 

Howto  Design  Green 
AND  Secure  Buildings 

Put  a  security  guy  in  a  room  with  an  environmentalist  and  ask 
them  to  design  a  building.  Wait  five  minutes  and  you’ll  hear 
fists  pounding  tables,  chairs  hitting  walls  and  a  steady  flow  of 
profanity. 

The  problem?  Green  features  are  often  seen  as  a  vulnerability  to 
the  security  professional  while  security  features  are  often  considered 
ugly  and  wasteful  to  the  designer  who  wants  to  make  a  structure 
green. 

But  it  doesn’t  have  to  be  this  way,  according  to  a  group  of  experts 
who  gathered  in  Woburn,  Mass.,  recently  for  a  seminar  on  intelligent 
building  design.  A  main  focus  of  the  event-hosted  by  integrated 
building  management  systems  vendor  TAC-was  to  demonstrate  how 
the  secure  and  the  green  can  exist  in  the  same  space  and  even  compli¬ 
ment  one  another. 

In  the  current  economic  climate,  marrying  the  two  can  also  be  a 
cost  saver,  says  Mo  Hess,  TAC’s  global  segment  manager  for  security. 

“Security  performs  a  lot  of  the  functionality  that  building  automa¬ 
tion  does  to  control  energy  consumption,  such  as  turning  lights  off 
and  on,  controlling  thermostats  and  notifying  you  when  a  door  or 
window  has  been  left  open,”  he  says.  “The  same  technology  used  for 
access  control  and  security  can  also  be  used  to  measure  and  conserve 
energy.” 

For  example,  he  says,  surveillance  cameras  installed  to  monitor 
who  is  coming  in  and  out  of  a  room  can  also  be  used  to  measure  light 
levels  and  notify  building  managers  if  a  light  is  burning  too  brightly 
or  if  one  has  been  left  on.  Access  control  can  be  used  to  keep  tabs 


on  energy  consumption  just  as  easily  as  it  can  be  used  to  limit  an 
employee’s  access  to  certain  IT  systems  and  corridors,  Hess  says. 

To  drive  home  the  point,  seminar  organizers  began  the  track  of 
security  presentations  with  an  overview  of  new  buildings  planned  for 
the  University  of  Massachusetts’  Amherst  campus.  The  university’s 
$640  million  capital  improvement  plan  for  new  research  buildings 
and  other  structures  is  full  of  green  features.  But  when  pressed  by 
attendees,  UMass  facilities  planner  Thomas  Huf  admitted  the  plans 
were  lacking  in  terms  of  security  controls. 

“We  don’t  have  a  central  security  design  at  this  point,”  Huf  said. 

Two  representatives  from  Applied  Risk  Management  (ARM)  then 
described  how  the  designs  could  be  tweaked  with  security  in  mind. 

ARM  Senior  Technical  Consultant  Roger  Rueda  listed  examples  of 
where  the  security  guys  and  conservationists  tend  to  clash.  Security 
pros  lean  toward  the  brightest  lighting  possible.  Conservationists 
see  overly  bright  illumination  as  light  pollution.  Rueda  said  there’s  a 
middle  ground  to  be  had.  For  example,  at  night  when  there  are  fewer 
cars  in  the  parking  lot  and  fewer  people  coming  and  going,  large  sec¬ 
tions  of  the  parking  lot  can  be  blocked  off  so  everyone  is  parking  in  a 
smaller  area.  That  reduces  the  amount  of  lighting  needed  to  monitor 
the  parking  lot,  which  allows  the  security  folks  to  do  their  jobs  while 
saving  energy  and  reducing  light  pollution. 

A  building’s  airflow  is  another  source  of  conflict  between  security 
and  conservation.  Green  designers  prefer  an  open  airflow,  which  is 
something  security  planners  view  as  an  opportunity  for  air  contami¬ 
nation.  Rueda  pointed  to  a  middle  road  where  the  open  airflow  can 
be  achieved  while  thermal  imaging  cameras  can  be  used  to  detect 
possible  contamination. 

On  the  structural  side,  conservationists  tend  to  prefer  minimal 
environmental  disruption  and  open  spaces  while  the  security  folks 
want  more  protective  barriers.  A  solution,  Rueda  said,  is  to  make 
use  of  such  things  as  trombe  walls-slabs  of  concrete  that  can  be 

used  as  both  a  security  barrier  and  a 
heating  source.  “Trombe  walls  are  useful 
because  they  provide  blast  protection 
but  also  absorb  heat  during  the  day, 
which  can  then  be  used  to  heat  a  building 
at  little  or  no  cost,”  Rueda  said. 

In  the  IT  security  world,  experts 
often  emphasize  the  importance  of 
working  security  into  the  software 
writing  process.  Bolting  it  on  later  with 
additional  software  and  hardware  is  a 
money-waster  that  tends  to  happen  only 
after  someone  has  attacked  the  company 
network.  Likewise,  ARM  President  and 
CEO  Daniel  O’Neill  said  security  has  to  be 
a  consideration  at  the  very  beginning  of 
the  green  building  design  process. 

Security  can  be  bolted  on  later,  but 
usually  that  happens  after  the  bomb 
blast  or  hurricane  has  done  the  damage. 
‘If  you  wait  until  the  end  of  the  design 
process,  you  will  never  be  able  to  secure 
the  building  as  well  as  you  could  have,” 
he  said.  -B.B 
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Verbatim... 


“WHILE  THERE  HAVE  BEEN  POCKETS  OF 
PROGRESS  ON  CYBERSECURITY  WITHIN  THE 
[DEPARTMENT  OF  HOMELAND  SECURITY], 
THE  AGENCY  IS  BEING  HELD  BACK  BY  TOO 
MUCH  ADMINISTRATIVE  INCOMPETENCE 
AND  POLITICAL  INFIGHTING.” 

-Amit  Yoran,  former  director  of  the  National 
Cyber  Security  Division  atthe  DHS  and  current 
CEO  of  security  vendor  NetWitness 


“OUR  HOPE  IS  TO  HELP  TRANSFORM  THE 
CONCEPT  OF  SOFTWARE  SECURITY  FROM 
ALCHEMY  TO  EMPIRICAL  SCIENCE.” 

-Cigital  CTO  Gary  McGraw,  on  the  Building  Security 
In  Maturity  Model  launched  last  month 


“THE  GOOD  NEWS  IS  THIS  [RECESSION] 
HAD  TO  HAPPEN  TO  CLEAN  OUT  THE 
BAD  AND  MAKE  ROOM  FOR  THE 
STRONGER.  WHAT  WILL  YOU  DO 
AS  AN  INDIVIDUAL  OR  A  COMPANY 
TO  POSITION  YOURSELF  FOR 
WHEN  THINGS  GET  BETTER?” 

-Peter  Kuper,  managing  partner  at  HypAdvisor 
Consulting  and  former  head  software  analyst 
at  Morgan  Stanley,  during  a  keynote  atthe 
Source  Boston  conference  last  month 


“IF  YOU  GO  OUT  AND  TRY  TO 
HIRE  SOME  KIDS  NOW,  THEY 
ASK:  ‘CAN  I  HAVE  ACCESS  TO 
FACEBOOK  AT  WORK?’  IF  YOU 
SAY  NO,  THEY  WILL  GO  AND 
WORK  FOR  SOMEONE  ELSE.” 

-Mark  Small,  vice  president  of 
enterprise  sales  with  Websense,  a 
security  software  provider 


Fraudsters  are  investing  more  in  R&D  every  day. 
Can  you  say  the  same  about  your  security  vendor? 


The  Security  Division  of  EMC 
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>>  BRIEFING 


INDUSTRY  VIEW 


SECURITY  WISDOM  WATCH 

Social 

Networking 

Edition 

This  month  we  focus  on  the 
social  networking  forums 
that  have  come  to  dominate 
our  lives  for  better  or  worse 


Thumbs  up:  Zach  Lanier.  The 
senior  network  security 
analyst  at  Harvard  Business 
School  is  ringleader  of  the 
Security  Twits,  a  network  of 
security  professionals  who  exchange 
ideas  and  work  to  solve  problems  via 
the  Twitter  microblogging  site.  The 
site  is  sometimes  compared  to  a  loud 
bar  where  everyone  is  shouting  to 
be  heard,  but  Lanier  has  managed 
to  organize  an  ever-expanding  yet 
strangely  tight-knit  community. 

Thumbs  down:  Facebook. 

It’s  a  nice  place  to  visit  if 
you  want  to  find  people  you 
haven’t  cared  about  since 
kindergarten,  but  what  started 
as  a  promising  site  for  exchanging 
security  ideas  has  quickly  devolved 
into  such  stupidity  as  online  snowball 
fights  and  vanity  exercises  like  the 
“25  Random  Things  About  Me.”  [Full 
disclosure:  The  author  of  this  column 
admits  to  spending  too  much  time  on 
Facebook  himself.] 

Thumbs  both  ways:  Linkedln 
groups.  This  business- 
oriented  social 
networking  site  is 
home  to  a  rapidly 
expanding  array  of 
security  groups.  Those 
with  groups  include  Black  Hat,  NAISG 
and  ISSA.  The  problem  is  that  there 
are  now  too  many  security  groups, 
many  of  which  share  similar  names. 
The  full  list  is  starting  to  resemble 
Twitter  on  a  busy  day. 


-B.B. 


Security  Pros  Warm 
to  Web  2*0  Access 

Facebook,  Linkedln  and  Twitter,  once  viewed  as  high-risk,  productivity-sucking 
applications,  seem  to  have  wiggled  their  way  into  the  hearts  of  security  teams 
nationwide.  In  fact,  most  organizations  no  longer  block  the  popular  websites 
and  allow  employees  to  access  these  Web  2.0  applications  at  work,  according  to 
a  new  survey  from  the  Security  Executive  Council. 

The  research,  released  at  the  CSO  Perspectives  conference  in  March,  reveals  that 
86  percent  of  organizations  do  allow  workers  to  use  Web  2.0  applications  such  as 
Facebook,  Linkedln  and  Twitter,  while  on  the  job  or  with  a  company-issued  computer. 

The  topic  of  social  networking  and  work  access  was  the  subject  of  a  spirited 
discussion  among  professionals  who  attended  CSOP,  a  three-day  event  in  Clearwater, 
Fla.  Some  in  attendance  pointed  to  Web  2.0  access  as  a  necessary  recruiting  and 
retention  tool. 

“We  talk  about  Web  2.0,  but  there  is  also  a  concept  I  call  Employee  2.0,”  says  Mark 
Small,  vice  president  of  enterprise  sales  with  Websense,  a  security  software  provider 
based  in  San  Diego.  “If  you  go  out  and  try  to  hire  some  kids  now,  they  ask:  ‘Can  I  have 
access  to  Facebook  at  work?’  If  you  say  no,  they  will  go  and  work  for  someone  else.” 

Small,  in  a  presentation  on  Web  2.0  applications,  noted  that  among  major 
employers  in  the  United  States,  IBM  currently  estimates  that  the  company  has 
33,000  Facebook  accounts  among  employees. 

CSOs  and  CISOs  that  allow  access  to  Facebook,  Linkedln,  Twitter  and  other  social 
networking  sites  were  the  majority  voice  in  a  panel  discussion  on  the  topic.  Leslie 
Lambert,  CISO  of  Sun  Microsystems,  says  social  networking  sites  have  become  a 
standard  part  of  her  hiring  process. 

“How  many  of  you  have  hired  someone  recently  without  looking  them  up  first  on 
Linkedln?”  she  asked  the  audience.  Very  few  hands  went  up  in  response. 

Those  who  restrict  access 
in  their  organizations  were 
also  vocal  on  their  reason¬ 
ing.  Chief  concerns  included 
a  potential  hack  or  breach 
of  company  information 
because  social  engineering 
scams  have  become  common 
on  Facebook,  Twitter,  MyS- 
pace  and  other  similar  sites. 
Derek  Benz,  CISO  of  Honey¬ 
well,  says  another  concern 
is  potential  damage  to  the 
company’s  reputation. 

“Many  people  form  groups  associated  with  their  company  on  these  sites,  and  the 
company  can  not  necessarily  control  what  is  said  in  those  groups.” 

Lambert  says  Sun  Microsystems  was  also  concerned  about  what  employees 
might  do  or  say  as  a  representative  of  the  company  on  social  networking  sites.  As  a 
result,  Sun  has  crafted  an  ‘electronic  discourse’  policy  that  all  workers  sign  before 
they  start  with  the  company.  Policies,  however,  can  only  go  so  far  in  mitigating  risks. 
“I  have  a  lot  of  policies,”  says  Lambert.  “But  I  don’t  run  a  police  state.” 

Jerry  Nolasco,  a  vice  president  of  global  information  security  with  Franklin 
Templeton  Investments  in  St.  Petersburg,  Fla.,  says  he  has  opened  up  access  to  Face- 
book,  Twitter  and  Linkedln  on  a  limited  basis  to  select  employees,  such  as  human 
resources,  who  have  a  clear  business  need  to  access  the  sites.  While  only  a  small 
number  can  access  the  sites  now,  Nolasco  admits  he  will  likely  open  them  up  to  all 
eventually.  -J.G. 
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3K* 


INDUSTRY  VIEW 


Secure  Electronic  Medical 
Records:  Fact  or  Fiction? 


Healthcare  organizations  still  nursing 
the  scars  of  HIPAA  compliance  and  data 
breaches  have  gotten  behind  a  new 
security  framework  to  address  potential 
headaches  brought  on  by  the  American  Recov¬ 
ery  and  Reinvestment  Act  of  2009. 

Members  of  the  Health  Information  Trust 
Alliance  (Hitrust)  gathered  in  San  Francisco 
recently  to  unveil  the  Common  Security 
Framework  (CSF),  the  first  IT  security  framework 
designed  specifically  for  healthcare  data  loss 
prevention. 

CSF  will  be  delivered  as  a  service  through 
a  new  online  community  called  Hitrust  Central. 
Hitrust  CSF  version  2009  and  Hitrust  Central 
are  available  starting  at  $1,875,  the  organiza¬ 
tion  says.  The  cost  will  be  higher  for  larger 
organizations. 

Work  on  CSF  began  18  months  ago  in 
response  to  HIPAA  security  challenges  and  the 
growing  wave  of  data  breaches  in  the  health 
sector  and  elsewhere. 

But  the  need  for  a  health-sector-based 
set  of  security  standards  was  amplified  by  the 
recent  passage  of  President  Obama’s  economic 
stimulus  package,  which  includes  federal  funds 
for  the  widespread  deployment  of  electronic 
medical  records. 

Russell  Pierce,  CI50  at  CVS  Caremark,  says 
the  push  to  digitize  medical  records  is  fraught 
with  potential  security  problems,  making  it  cru¬ 
cial  that  health  organizations  get  behind  a  more 
specific  set  of  security  guidelines. 

“We’ve  seen  a  lot  of  difficulty  in  the  health 
sector  in  terms  of  how  one  evaluates  the  secu¬ 
rity  of  third  parties,  especially  when  it  comes  to 


what  third  parties  are  doing  to  satisfy  HIPAA’s 
security  requirements,”  Pierce  says. 

“There  have  been  some  significant  inconsis¬ 
tencies  on  that  front.” 

One  problem  is  HIPAA  itself.  The  law  has 
been  open  to  interpretation,  and  Hitrust  hopes 
its  CSF  will  put  more  organizations  on  the  same 
page  in  terms  of  what  must  be  done  to  improve 
security.  Pierce  says  the  CSF  is  designed  to  scale. 

In  other  words,  the  framework  is  designed 
to  get  organizations  of  varying  size  on  the  same 
security  page,  whether  it’s  private  practices, 
hospitals  and  health  plan  providers  or  pharma¬ 
cies,  pharmaceutical  manufacturers,  data 
exchanges  and  clearing  houses. 

“The  CSF  will  also  help  in  determining 
compliance  against  the  myriad  business  partner 
requirements  as  well  as  the  numerous  evolving 
state  and  federal  regulations  and  industry  stan¬ 
dards,”  Hitrust  said  in  a  statement. 

“The  CSF  cross-references  and  harmonizes 
regulations  such  as  The  American  Recovery  and 
Reinvestment  Act  of  2009  and  the  Protection  of 
Personal  Information  of  Residents  of  the  Com¬ 
monwealth  of  Massachusetts,  as  well  as  nation¬ 
ally  and  globally  recognized  standards  such  as 
ISO,  NIST,  Cobit,  HIPAA  and  PCI.” 

McKesson  CISO  Michael  Wilson  said  Obama’s 
push  for  more  efficiency  through  health  IT  is 
great,  but  that  it  comes  with  risk  that  must  be 
addressed  with  more  specific  guidelines. 

He  believes  the  Hitrust  CSF  is  a  step  in  that 
direction. 

“Having  all-electronic  records  means  you 
need  to  sharpen  the  privacy  and  security  around 
it,”  he  says.  -B.fi. 


BY  THE 
NUMBERS 

56 

Number  of  countries  joining 
the  24/7  Network  since 
mid-March.  The  network  is 
designed  to  quickly  react 
to  cybercrime  incidents 
around  the  world. 

12 

Number  of  categories  in 
the  new  Building  Security 
In  Maturity  Model,  a  set  of 
guidelines  designed  to  help 
software  and  application 
makers  write  more  secure 
code 

1  in  100 

The  number  of  PCs  infected 
with  ID  theft  Trojans,  accord¬ 
ing  to  a  study  Panda  Security 
conducted  of  its  customer 
base 


10  million 

Total  number  of  infected 
machines  around  the  world, 
according  to  Panda  Secu¬ 
rity’s  estimate.  Specifically, 
if  one  percent  of  the  world's 
one  billion  computers  are 
infected,  that  would  mean 
that  this  kind  of  software  is 
on  10  million  PCs  worldwide, 
the  company  reports. 

4 

Number  of  years  L.A. 
resident  John  Schiefer  will 
spend  in  jail  after  plead¬ 
ing  guilty  to  stealing  user 
names,  passwords  and 
financial  data  from  more 
than  250,000  compromised 
systems. 

$2,500 

Amount  Schiefer  was 
ordered  to  pay  in  fines  for 
the  same  crime 
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EXECUTIVE  PROTECTION 

Classified  Data 
on  Marine  One 
Leaked,  Found  on 
Iranian  Computer 

Classified  information  about  the  communica¬ 
tions,  navigation  and  management  electronics 
on  Marine  One,  the  helicopter  now  used  by 
President  Barack  Obama,  were  reportedly 
discovered  in  a  publicly  available  shared  folder  on 
a  computer  in  Tehran,  Iran,  after  apparently  being 
accidentally  leaked  over  a  peer-to-peer  file-sharing 
network  last  summer. 

The  classified  file  appears  to  have  been  leaked 
from  a  computer  belonging  to  a  Bethesda,  Md., 
military  contractor  and  was  discovered  by  Tiversa, 
a  Cranberry  Township,  Pa.-based  P2P  monitoring 
services  provider. 

P2P  networks  are  widely  used  to  share  music, 
video  and  data  files  over  the  Internet. 

The  Iranian  IP  address  at  which  the  file  was  found 
belongs  to  an  “information  concentrator”-someone 
who  searches  P2P  networks  for  sensitive  informa¬ 
tion,  says  Chris  Gormley,  chief  operating  officer 
at  Tiversa. 

The  location  where  the  file  was  found  included 
several  other  documents  with  classified  and  sensi¬ 
tive  military  information  that  were  also  leaked  over 
file-sharing  networks,  Gormley  says.  He  did  not 
disclose  what  the  other  documents  were. 

According  to  Gormley,  Tiversa  first  found 
information  about  Marine  One’s  avionics  floating 


around  on  file-sharing  networks  last  summer  and 
notified  the  contractor  and  the  authorities  about  the 
discovery. 

Last  week’s  search  shows  that  copies  of  the  docu¬ 
ment  are  still  available  on  P2P  networks  to  anyone 
who  knows  how  to  look  for  it,  he  says. 

This  is  not  the  first  time  that  highly  classified 
and  sensitive  information  has  been  discovered  on 
P2P  networks.  In  July  2007,  members  of  a  congres¬ 
sional  subcommittee  heard  from  a  panel  of  security 
experts,  including  executives  at  Tiversa,  about  how 
they  had  found  millions  of  classified  documents  on 
file-sharing  networks. 

Among  the  examples  cited  was  a  diagram  of  the 
Pentagon’s  secret  backbone  network  infrastruc¬ 
ture,  complete  with  IP  addresses  and  password- 
change  scripts;  contractor  data  on  radio  frequency 
manipulation  used  to  defeat  improvised  explosive 
devices  in  Iraq;  physical  terrorism  threat  assess¬ 
ments  for  three  major  U.S  cities;  and  information 
on  five  Department  of  Defense  information  security 
systems  audits. 

Corporations  are  not  immune  to  this  sort  of  thing. 

In  June  2007,  personal  data  on  about  17,000 
Pfizer  workers  was  exposed  by  an  employee  who 
installed  unauthorized  file-sharing  software  on  a 
company  laptop  containing  that  data. 

Companies  need  to  take  measures  to  protect 
against  such  risks,  says  Avivah  Litan,  an  analyst  at 
Gartner. 

Among  the  measures  she  recommends  are  the 
use  of  file  encryption  technologies  to  protect  sensi¬ 
tive  files,  data  loss  prevention  tools  to  block  leakage 
of  data  over  corporate  networks,  and  the  use  of 
intrusion-detection  and  network  behavioral  analysis 
products  to  detect  P2P  file-sharing. 

-Jaikumar  Vijayan 


Photo  courtesy  U.S.  Department  of  Defense 
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TACTICS 


TOOLS,  TECHNOLOGIES  AND 

By  Bob  Violino 


All  Together  Now:  Unified 
Threat  Management 

Before  buying  the  latest  UTM  appliance,  you  need  to  figure 
out  what’s  best  for  your  company.  Here’s  a  guide. 


To  protect  networks  and  infor¬ 
mation  against  increasingly 
sophisticated  threats,  many 
organizations  are  deploy¬ 
ing  security  in  layers.  Some 
are  finding  that  an  efficient  way  to  do  this 
is  by  using  unified  threat  management 
(UTM)  appliances. 

UTM  systems  have  multiple  features 
and  capabilities,  including  intrusion  detec¬ 
tion  and  prevention,  gateway  antivirus, 
e-mail  spam  filtering  and  Web  content 
filtering,  as  well  as  the  traditional  func¬ 
tions  of  a  firewall,  integrated  into  one 
product  offering. 

Some  vendors  offer  the  option  of  pur¬ 
chasing  UTM  appliances  for  all  of  the  vari¬ 
ous  functions  available  or  integrating  just  a 
few  of  the  functions  as  needed. 

It’s  a  fast-growing  market.  Research 
firm  IDC  (a  sister  company  to  CSO )  released 
a  report  in  October  2008  saying  that  it 
expects  UTM  products,  which  passed  the 
$1  billion  mark  in  market  size  in  2007,  will 
make  up  33.6  percent  of  the  total  network 
security  market  by  2012. 

The  UTM  market  has  attracted  a  large 
number  of  vendors.  Among  the  market 
leaders  are  Fortinet,  Cisco,  SonicWALL, 
Juniper,  Secure  Computing,  Check 
Point,  Watchguard,  Crossbeam  Systems 
and  Astaro. 

Vendors  continue  to  add  new  features 
to  the  basic  functionality  of  the  products. 


For  example,  the  latest  version  of  Astaro’s 
Security  Gateway  product  includes  HTTPS 
Proxy  Filtering,  which  allows  users  to  filter 
and  control  secure  Web  traffic  and  block 
programs  that  attempt  to  bypass  security 
policy  with  SSL  tunneling. 

Another  new  feature,  Site-to-Site 
VPN,  lets  users  create  permanent  tun¬ 
nels  between  Astaro  Gateways,  providing 
a  simple  way  to  permanently  connect  two 


gateways  while  supplying  the  security  level 
of  an  IPsec  VPN  tunnel. 

In  November  2008,  Fortinet  introduced 
a  UTM  product  that  gives  organizations  the 
ability  to  segment  their  networks  for  greater 
policy  granularity  and  event  isolation. 

More  vendors  are  adding  new  mes¬ 
saging  security  capabilities  such  as  e-mail 
spam  filtering  and  instant  messaging  secu¬ 
rity,  and  Web  security  features  such  as  Web 
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>>  TOOLBOX 


who’s  who 

Unified  Threat  Management  Vendors,  as  Identified  by  IDC 


COMPANY 

URL 

PRODUCT 

Ahnlab 

global.ahnlab.com 

TrusGuard  UTM 

Arkoon 

www.arkoon.net/-English-.html 

FAST360 

Astaro 

www.astaro.com 

Astaro  Security  Gateway 

Check  Point 

www.checkpoint.com 

UTM-1  Total  Security  Appliances 

Cisco 

www.cisco.com 

ASA  5500  Series  Adaptive 

Security  Appliances 

Crossbeam  Systems 

www.crossbeam.com 

C-Series 

Cyberoam 

www.cyberoam.com 

CRIOOOi  and  CR1500i 

Equiinet 

www.equiinet.com 

SecurePilot 

Fortinet 

www.fortinet.com 

FortiGate  Unified  Threat 
Management  Systems 

Gajshield 

www.gajshield.com 

Gajshield  UPTM  appliances 

IBM  Internet  Security 
Systems 

www.ibm.com 

Proventia  Network  Multi- 
Function  Security 

L  _  _ _ _ . 

Juniper  Networks 

www.juniper.net 

Secure  Services  Gateway 

Netasq 

www.netasq.com 

U-series 

Oullim  Information 
Technology 

http://eng.ouiiim.co.kr 

Secureworks  Sepion  Series 

Secure  Computing 

www.securecomputing.com 

SnapGear  Network  Gateway  and 
Sidewinder  Network  Gateway 

SonicWall 

www.sonicwall.com/us 

Network  Security 

Appliances  (NSA) 

Venus  Info  Tech 

www.venusense.com/html/ 

product/product_13.htm 

Unified  Security  Gateway 

Watchguard 

www.watchguard.com 

Firebox  X  Peak  E-Series, 

Firebox  X  Core  E-Series  and 
Firebox  X  Edge  E-Series 


ZyWall  UTM  Appliances 


application  firewalling  and  content  filter¬ 
ing,  says  Jon  Crotty,  research  analyst  for 
security  products  and  services  at  IDC. 

Crotty  says  other  new  developments 
in  UTM  include  centralized  manage¬ 
ment  using  graphical  interfaces,  enabling 
networkwide  changes  for  licensing  and 
upgrades,  and  network  features  such  as  the 
ability  to  monitor  latency  and  throughput 
and  automated  event  correlation  and  net¬ 
work  logging. 

IDC  and  others  are  beginning  to  call  the 
newer  UTM  appliances  (with  these  added 
security  and  networking  features  and 
functions)  “extensible  threat  management” 
(XTM)  systems. 

If  your  organizations  is  considering 
implementing  a  UTM  system,  here  are 
some  things  to  consider. 

What  Do  You  Really  Need? 

Before  looking  into  products  on  the  mar¬ 
ket,  determine  the  specific  security  needs  of 
your  organization. 

The  same  can  be  said  for  purchasing 
many  types  of  IT  security  products,  but  it’s 
especially  true  with  technologies  such  as 
UTM  appliances,  which  combine  a  number 
of  security  functions  into  one  system. 

There  are  several  dozen  UTM  products 
on  the  market,  and  they  vary  broadly  in 
terms  of  features,  capabilities  and  price. 

Not  all  organizations  will  need  particu¬ 
lar  security  features  and  capabilities  that 
could  drive  up  the  total  cost  of  the  technol¬ 
ogy  as  well  as  the  complexity  involved  in 
implementing  the  systems. 

“If  you’re  going  to  evaluate  a  UTM  box, 
start  with  the  basics:  What  are  your  needs? 
How  big  is  your  company?  Is  your  company 
growing?”  Crotty  says.  “Those  questions 
alone  would  probably  cut  the  [product]  list 
down  do  about  a  third.  Some  of  these  play¬ 
ers  are  much  more  geared  toward  the  enter¬ 
prise,  some  toward  the  low  end.” 

Check  Vendor  References 

Prior  to  purchasing  a  UTM  from  Fortinet, 
DJO,  a  global  provider  of  medical  devices 
based  in  Vista,  Calif.,  visited  several  compa- 
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nies  that  were  using  UTM  appliances  from 
various  vendors. 

DJO  wanted  to  learn  about  the  level  of 
administration  needed  to  operate  the  prod¬ 
ucts,  how  difficult  they  are  to  use,  how  the 
firewalls  work  with  VPNs  and  other  issues, 
says  John  Iraci,  vice  president  of  enterprise 
infrastructure  at  DJO. 

The  diligence  paid  off.  DJO  successfully 
implemented  the  Fortinet  product  into  its 
global  environment  and  is  seeing  the  ben¬ 
efits  of  enhance  security,  Iraci  says. 

The  company  deployed  two  appliances 
in  “high  availability  mode”  at  its  head¬ 
quarters,  and  they’re  being  used  to  help 


provide  firewall,  IPS,  antivirus,  VPN  and 
Web  filtering  security.  DJO  was  able  to  eas¬ 
ily  deploy  IPS  functionality  to  its  network 
without  adding  additional  hardware  and 
without  exceeding  its  security  budget. 

Investigate  and  Test 

Many  organizations,  especially  smaller 
ones,  don’t  have  the  time  or  resources  to 
test  products  in-house.  But  they  can  take 
advantage  of  published  product  reviews 
and  use  the  testing  services  available  from 
organizations  such  as  ICSA  Labs  (formerly 
International  Computer  Security  Associa¬ 
tion),  Crotty  says. 


“If  you’re  going  to  evaluate  a  UTM  box,  start  with  the  basics:  What  are 
your  needs?  How  big  is  your  company?  Is  your  company  growing?” 

-JON  CROTTY,  RESEARCH  ANALYST  FOR  SECURITY  PRODUCTS  &  SERVICES,  IDC 
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Larger  enterprises  that  have  the 
resources  “should  select  three  or  four 
vendors  and  try  to  kick  the  tires  in  a  lab,” 
Crotty  says. 

He  suggests  that  organizations  conduct 
two  types  of  tests.  The  first  is  to  test  the 
products’  performance  against  the  con¬ 
figuration  that  the  organization  plans  to 
use  and  those  specific  functions  that  will 
be  enabled. 

The  other  is  to  test  the  products  with 
all  the  features  engaged  on  the  UTM.  “This 
will  give  you  an  idea  of  performance  should 
you  eventually  want  to  enable  more  appli¬ 
cations  than  you  do  now,”  Crotty  says.  “You 
want  that  room  to  grow  and  should  look 
at  [these  capabilities]  when  making  the 
initial  purchase.” 

DJO  did  a  lot  of  testing  of  its  UTM  appli¬ 
ance  in  its  labs  to  ensure  that  the  device 
worked  with  the  disparate  hardware  that 
the  company  has  installed. 

“We  do  a  lot  of  acquisitions,  and  we  need 
to  make  sure  that  there’s  interoperability” 
among  the  systems,  Iraci  says.  “Testing  is  so 
important  in  this  day  and  age  when  you’ve 
got  so  many  pieces  and  the  infrastructure 
has  become  so  much  more  complex.” 

Testing  should  also  apply  to  release 
upgrades. 

“While  the  release  notes  may  seem  like 
they  make  no  significant  changes,  with 
UTM  there  can  be  a  change  to  one  type  of 
traffic  pattern  or  filter  that  can  affect  ‘good’ 
traffic,”  says  Mike  Mierwinski,  CIO  at  Mid- 
America  Overseas,  Chicago,  a  transporta¬ 
tion  and  logistics  provider  that  uses  a  UTM 
system  from  Astaro.  “Without  testing  this 
in  advance,  you  could  potentially  bring 
down  one  segment  of  your  network  if  you 
apply  these  updates  blindly.” 

Cost  Versus  Scalability 

When  selecting  a  product,  take  into  consid¬ 
eration  a  range  of  factors,  including  cost, 
scalability,  centralized  management  and 
vendor  support. 

Cost,  throughput  and  management  are 
the  key  criteria  for  evaluating  UTM  devices, 
says  Richard  Stiennon,  chief  research  ana¬ 
lyst  at  IT-Harvest,  an  IT  research  firm  in 
Birmingham,  Mich. 

“There  is  the  purchase  price  and  the  sub¬ 
scription  price  to  consider  as  URL  filtering, 
IPS  and  AV  all  require  constant  updates,” 
Stiennon  says.  “Does  the  vendor  do  their 


own  research  or  do  they  use  databases  from 
third  parties?  The  management  interface 
should  be  as  unified  as  the  actual  device.” 

Scalability  and  distribution  are  other 
key  considerations.  Organizations  with  a 
lot  of  branch  offices  need  to  make  sure  that 
a  UTM  appliance  is  capable  of  supporting 
remote  users. 

“That’s  when  scalability  and  perfor¬ 
mance  with  hundreds  or  thousands  of 
users  really  comes  into  play,”  Crotty  says. 

It’s  also  critical  to  take  a  look  at  the 
management  console  of  a  UTM  appliance. 
“With  UTM,  this  is  very  important,”  Crotty 
says.  “Does  it  have  a  SIEM  [security  infor¬ 
mation  and  event  management  to  gather 
and  analyze  security  log  data  from  differ¬ 
ent  systems]?  Can  you  enable  applications 
easily?  Can  you  do  universal  policy  config¬ 
urations  and  changes?  What  about  system 
upgrades?  With  UTM,  these  [factors]  are 
just  as  important  as  what  the  box  does.” 

Effective  centralized  management  is 
especially  vital  for  large  enterprises  that 
have  a  lot  more  users  to  support. 

UTM  systems  should  not  have  separate 
consoles  for  each  function,  Stiennon  says. 
“Rather,  protection  profiles  that  define 
URLs,  IPS  and  [antivirus]  signatures  to 
apply  based  on  a  specific  group  of  users 
should  be  integrated  with  a  firewall  rule 
manager,”  Stiennon  says.  “Updates  should 
be  easy  to  push  from  a  central  management 
console  to  multiple  devices.” 

How  the  UTM  system  is  supported 
and  maintained  by  the  vendor  is  another 
key  consideration  for  companies.  “Some 
of  these  vendors  have  been  aggressive  in 
offering  customer  service;  we’ve  seen  a  lot 
of  customers  jump  in  just  because  of  that,” 
Crotty  says. 

Can  the  Vendor  Support  Global 
Operations? 

This  was  an  important  factor  to  DJO, 
which  has  operations  in  multiple  coun¬ 
tries.  “Because  we  have  several  offices  in 
Europe,  we  had  to  make  sure  [the  vendor 
has]  reseller  channels  over  there  that  can 
ship  products  there  and  have  technicians 
available  if  necessary,”  Iraci  says. 

DJO’s  five  international  offices  have 
Fortinet  appliances  to  connect  the  locations 
to  corporate  headquarters. 

The  integrated  security  platform 
enabled  the  company  to  provide  the  same 
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security  services  at  its  remote  locations  as 
it  does  at  headquarters.  ■ 


Bob  Violino  is  a  New  York-based  writer  spe¬ 
cializing  in  information  technology. 
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Hard 

Decisions  in 
Hard  Times 


Layoffs  are  an  unfortunate  reality  in  this  economic 
climate.  Security  has  a  critical  role  in  helping 
support  both  the  departing  employees  and  the 
organization,  by  michael  fitzgerald 


The  economic  crisis  has 
Michael  Hamilton  worried 
about  worst-case  scenarios. 
One  of  those  isn’t  losing  his 
job.  But  as  CISO  for  the  City 
of  Seattle,  he  has  to  worry 
about  everybody  who  does 
lose  their  jobs. 

Laid-off  employees  could  have  access  to  sys¬ 
tems  that  control  local  utilities,  water  purification 
systems,  transport  systems,  public  safety  sys¬ 
tems— Seattle  even  runs  its  own  municipal  power, 
meaning  that  it  has  systems  in  place  that  control 
dams  all  the  way  into  Eastern  Washington. 

“The  top  impact  is  always  the  loss  of  life— that’s 
the  worst  thing  that  can  happen,”  says  Hamilton. 
Most  data  breaches  by  comparison  look  merely  like 
an  annoyance. 

Not  that  it  would  be  a  cheap  annoyance— the 
Ponemon  Institute  estimates  that  each  record  lost 
would  cost  a  company  $202,  not  to  mention  brand 


equity.  Nor  does  Hamilton  take  the  potential  for 
data  breach  lightly.  Besides  death,  Hamilton  has 
Terry  Childs  on  his  mind.  Childs  is  the  San  Fran¬ 
cisco  network  administrator  who  allegedly  held  the 
City  of  San  Francisco’s  network  passwords  hostage 
and  has  been  in  jail  for  months  awaiting  trial. 

In  the  wake  of  the  Childs  incident,  he  hopes 
the  city  avoids  laying  off  network  administrators 
or  anyone  else  with  high-level  systems  provisions. 
“It’s  a  little  terrifying”  to  think  about,  he  says. 

There’s  plenty  of  fear  going  around  right  now. 
The  U.S.  economy  is  suffering  one  of  its  broadest 
downturns  since  World  War  II,  and  widespread 
layoffs  have  created  the  likelihood  of  signifi¬ 
cant  security  breaches.  Fifty-nine  percent  of  U.S. 
employees  who  left  a  firm  in  the  last  year  know¬ 
ingly  stole  data  from  their  former  employer,  accord¬ 
ing  to  a  Ponemon  Institute  survey  of  1,000  people. 
The  report,  released  in  February,  was  sponsored  by 
Symantec.  Meanwhile,  more  than  58  percent  of  U.S. 
workers  surveyed  by  Cyber-Ark,  an  identity  man- 
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Michael  Hamilton,  CISO  of  the  City 
of  Seattle,  looks  to  both  process 
and  technology  to  minimize  the 
concerns  created  by  layoffs. 


agement  firm,  said  they  would  download 
company  or  competitive  information  if  they 
thought  they  were  going  to  lose  their  jobs. 

Granted,  all  these  studies  were  funded 
by  security  companies,  which  have  a  vested 
interest  in  their  outcome.  Ironically,  the 
best  way  to  head  off  data  theft  in  a  time  of 
layoffs  is  probably  to  focus  on  the  people 
involved.  Technology  and  processes  often, 
at  best,  help  companies  monitor  data  theft, 
rather  than  stop  it. 

Behavioral  Security 

It’s  simple,  says  Ponemon:  If  you  can  lay 
employees  off  but  still  leave  them  with  a 
favorable  impression  of  their  company,  they 
are  less  likely  to  take  data. 

They’re  also  less  likely  to  come  back 
with  guns  a  few  weeks  later.  The  challenged 
state  of  the  economy  has  made  executives 
jittery  about  the  impact  of  layoffs.  “For  the 
first  time,  I’m  hearing  people  in  crisis  man¬ 
agement  meetings  say,  ‘I’m  scared.  I  want 
security  here,”’  says  Kirian  Fitzgibbons, 
director  of  special  services  at  the  Steele 
Foundation,  a  San  Francisco  firm  that 
handles  physical  security  and  risk  man¬ 
agement.  He  says  that  firms  are  far  more 
nervous  about  volatile  employees  than  they 
were  during  the  dotcom  bust,  with  more 
requests  for  extra  personnel  at  layoff  sites 
and  for  extra  security  on  executive  floors. 

Part  of  that  is  the  simple  scale  of  the 
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downturn— Fitzgibbons  says  that  typically 
Steele  consults  on  two  to  three  mass  layoffs 
a  year.  Right  now,  it’s  doing  that  many  a 
month,  and  sometimes  in  a  week. 

Companies  should  know  that  being 
laid  off  is  not  typically  something  that  will 
prompt  violence.  “Losing  your  job  and  los¬ 
ing  something  else  is  what  does  it,”  say  Fitz¬ 
gibbons  and  other  security  consultants. 

Almost  every  company  has  a  “red  flag” 
employee— someone  who’s  had  run-ins 
with  management  or  other  employees.  Dur¬ 
ing  layoffs,  companies  need  to  be  especially 
careful  about  how  these  people  are  treated, 
says  Marisa  Randazzo,  a  former  chief  psy¬ 
chologist  for  the  U.S.  Secret  Service  and 
president  of  Threat  Assessment  Resources 
International,  a  security  consultancy  in 
Sparks,  Nev. 

“Companies  may  think  that  the  bad 
economy  makes  it  a  good  time  to  get  rid  of 
bad  eggs,  or  difficult  employees.  But  once 
they’re  no  longer  part  of  the  organization, 
you  don’t  have  the  ability  to  monitor  their 
behavior  nearly  as  well  or  to  do  interven¬ 
tion,”  she  says. 

Indeed,  companies  need  to  recognize 
that  problem  employees  often  are  symp¬ 
toms  of  bad  management.  Randazzo  tells 
of  a  laid-off  worker  who  threw  his  chair 
through  the  conference  room  window  and 
threatened  to  come  back  with  his  guns.  It 
turns  out  that  the  company,  which  put  on 
sporting  events,  had  hired  the  systems 
administrators  with  the  promise  of  attend¬ 
ing  the  event  they  were  working  on.  It  laid 
off  this  worker  and  several  others  just  two 
weeks  before  the  event,  with  no  mention  of 


free  passes  to  the  events. 

“These  folks  were  ticked  off,  understand¬ 
ably,  because  they’d  been  promised  some¬ 
thing  and  it  had  been  taken  away,”  she  says. 

TIP:  Randazzo  recommends  involving  red- 
flag  employees  in  the  layoff process,  as  much 
as  possible. 


Of  course,  the  vast  majority  of  employ¬ 
ees  are  not  red-flag  employees.  But  they  still 
need  to  be  treated  with  dignity. 

In  this  economically  driven  layoff  cli¬ 
mate,  put  people  first,  and  put  yourself 
in  their  shoes,  says  Bruce  Jones,  global 
IT  security  and  risk  manager  for  Kodak. 
“You’re  not  laying  them  off  for  performance, 
but  for  business  conditions,”  he  says.  “You 
make  sure  you  treat  people  accordingly.” 

Kodak  has  the  layoff  drill  pretty  much 
down;  it’s  spent  much  of  the  last  decade 
being  buffeted  by  the  shift  to  digital 
imaging. 


TIP:  Get people  moving  forward. 


Kodak  typically  lets  employees  keep 
basic  network  access  for  a  few  weeks  after 
a  layoff,  to  help  transition  their  work  and  in 
case  they  are  able  to  get  another  job  within 
the  company. 

Organizations  can  even  protect  them¬ 
selves  from  Terry  Childs  scenarios.  Chad 
Thunberg,  the  chief  operating  officer  at 
Leviathan  Security  Group  in  Seattle,  says 
that  early  in  his  career  he  took  over  for  a 
systems  administrator  who  had  been  fired 
for  cause.  Two  days  later,  the  ex-employee 


hacked  into  the  network  and  took  down 
a  number  of  important  servers.  It  took  24 
hours  to  get  them  back  online.  That  com¬ 
pany,  like  the  city  of  San  Francisco,  had 
allowed  one  person  to  have  sole  control 
over  too  many  systems  and  should  have 
split  off  some  of  his  duties,  as  well  as  des¬ 
ignated  a  backup  who  would  know  all  the 
same  access  and  permission  codes. 

Deprovisioning 

Once  layoffs  are  complete,  companies  have 
to  do  a  good  job  on  the  nuts  and  bolts  on 
three  fronts: 

1.  Removing  laid-off  employee  access  to 
company  resources  in  timely  fashion; 

2.  Keeping  data  from  flowing  away  from 
the  company; 

3.  Protecting  data  where  it’s  stored. 

Technology  and  processes  can  help 

with  all  three.  Every  company  has  ways 
to  get  employees  access  to  systems,  and 
to  remove  that  access  when  the  employee 
leaves,  no  matter  what  the  circumstances. 
But  they  don’t  necessarily  use  it  well.  One 
stunning  data  point  in  the  Ponemon  survey 
is  that  24  percent  of  employees  let  go  still 
had  full  systems  access  days  later.  In  fact, 
more  than  one-third  of  those  employees 
still  had  full  access  more  than  a  week  later. 
“That  is  a  broken  process,”  says  Ponemon. 

Deprovisioning  doesn’t  have  to  be  such  a 
nightmare.  The  technologies  in  the  last  five 
years  have  improved  greatly.  Whether  it’s 
Active  Directory,  OpenLDAP  or  some  other 
tool,  “most  systems  accomplish  deprovi¬ 
sioning  with  ease,”  says  Greg  Shipley,  CTO 
at  Neohapsis,  a  security  consultancy  head¬ 
quartered  in  Cambridge,  Mass.. 

But  process  “gotchas”  plague  many 
companies,  Shipley  says.  Not  all  applica¬ 
tions  get  added  to  the  system.  Individual 
accounts  may  not  get  added  in,  particularly 
for  employees  that  predate  the  deprovision¬ 
ing  process.  There  may  not  be  procedures 
for  changing  “god”  accounts  like  root  and 
administrator  accounts,  or  the  “enable” 
password  on  network  infrastructure. 
Remote  accounts  that  are  active  may  be 
overlooked,  leaving  someone  logged  in 
with  full  access,  even  though  they’ve  been 
deprovisioned. 

Shipley  adds  that  so  much  focus  has 
been  on  hiring  in  the  last  few  years  that  some 
identity  management  systems  are  much  bet¬ 
ter  at  granting  access  than  revoking  it. 


Reduce  Risk 

Measures  that  can  help  departing  employees  and  also  lower  the 
temptation  to  abscond  with  company  property  or  data: 

-  Offer  staff  an  hour  a  day  to  search  for  jobs  while  still  employed. 
>  Give  them  a  used  computer  with  Internet  access  that 

they  can  take  with  them  to  help  in  their  job  search. 

-  Offer  to  print  business  cards  for  the  employee 
that  include  their  home  phone  number. 

■  Pay  for  access  to  a  job  site. 

-  Pay  for  Cobra  insurance  for  three  or  four  months. 

-  Have  your  corporate  recruiters,  HR  or  an  outplacement 
firm  assist  in  looking  for  work  for  laid-off  employees. 
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Losses  in 
2008 

Layoffs  may  lead  to  data 
looting,  according  to 
an  800-company  study 
conducted  by  Ceriasand 
sponsored  by  McAfee. 

$4.6  million 

Average  loss  of  intellectual 
property 

$600,000 

Cost  of  responding  to  each 
security  breach 

42% 

Companies  saying  laid-off 
employees  are  the  biggest 
threat  to  data 

39% 

Companies  saying  crucial 
information  is  more  vulner¬ 
able  because  of  the  downturn 

SOURCE:  THE  CENTER  FOR  EDUCATION  AND 
RESEARCH  IN  INFORMATION  ASSURANCE  AND 
SECURITY  (CERIAS)  AT  PURDUE  UNIVERSITY 

Kodak’s  Jones  agrees  that  centralized 
provisioning  has  improved  in  the  last  few 
years.  Kodak  has  moved  to  centralized  pro¬ 
visioning  via  Sun  Identity  Manager,  and 
“it’s  been  a  big  benefit  to  us,”  he  says. 

While  deprovisioning  has  improved, 
the  tools  could  still  be  better,  he  says.  “The 
biggest  weakness  is  the  interface  between 
whatever  provisioning  identity  manage¬ 
ment  tool  you  use  and  all  your  applications,” 
says  Jones. 

Oddly,  in  this  Web-based  era,  compa¬ 
nies  tend  to  forget  about  access  to  Web- 
based  software.  “I  honestly  don’t  know 
why  companies  miss  this,”  says  Thunberg. 
“A  majority,  if  not  all  of  these  environments, 
have  a  way  to  track  them.” 

Perhaps  the  weakest  point  in  any  depro¬ 
visioning  process  comes  from  external  part¬ 
ners  or  vendors.  When  those  companies  lay 
people  off,  they  may  not  deprovision  them. 
Hamilton,  of  the  City  of  Seattle,  says  that 
while  you  can  write  contracts  and  service- 
level  agreements  requiring  contractors  to 


deprovision  people  who  are  laid  off,  you 
don’t  have  direct  control  over  the  process. 

Data  Leakage 

One  day  this  March,  a  door  was  propped 
open  on  a  floor  with  important  IT  systems 
at  the  City  of  Seattle.  In  fact,  the  door  could 
not  be  locked,  meaning  that  anyone  could 
potentially  have  gained  access  to  systems. 
Monitoring  might  have  alerted  the  city  to 
large  data  dumps  taking  place,  but  a  data 
thief  could  have  easily  been  out  the  door 
before  anyone  could  do  something  about  it, 
says  Hamilton. 

Hamilton  says  that  he  and  his  staff  have 
to  be  on  the  constant  lookout  to  help  pre¬ 
vent  data  looting.  With  layoffs  pending,  he’s 
heightened  his  monitoring  and  is  consider¬ 
ing  things  like  tagging  certain  employees 
with  special  monitoring  agents. 

Still,  there’s  only  so  much  companies 
can  do  with  monitoring. 

“It’s  hard  to  get  a  handle  on  data  leak¬ 
age— there’s  so  much  data  in  file  cabinets  as 
well  as  on  systems,”  says  Michelle  Drolet, 
CEO  of  Towerwall,  a  security  consultancy 
in  Framingham,  Mass. 

Indeed,  the  Ponemon  study  found  that 
6i  percent  of  those  who  take  data  take  it  in 
hard-copy  form. 


TIP:  Good  employee  relations  may  be  the  best 
bet  for preventing  data  leakage. 


But  there  are  plenty  of  ways  to  know 
if  employees  are  trying  to  transfer  large 
amounts  of  data  digitally.  And  most  com¬ 
panies  are  probably  already  using  them— 
there  is  always  an  insider  threat.  Kodak’s 
Jones  says  that  companies  should  set  moni¬ 
toring  tools  and  alerts  based  on  perceived 
threat  levels,  “and  apply  them  regardless  of 
whether  people  are  being  laid  off  or  not.” 

Some  firms  have  to  be  more  aggressive 
about  handling  data  access  than  others.  A 
midsize  financial  services  firm  recently  did 
a  significant  layoff.  To  minimize  data  loss, 
two  days  beforehand  it  put  a  group  policy 
command  into  Active  Directory  to  prevent 
people  from  burning  CDs  or  using  USB 
sticks  to  get  data.  Even  the  help  desk  did 
not  know  what  was  happening. 

“We  just  let  them  scramble  and  try  to  fig¬ 
ure  it  out,  knowing  they  couldn’t  fix  it,”  says 
a  security  administrator  at  the  firm,  who 
asked  not  to  be  named.  “It  was  a  waste  of 


time,  but  it’s  what  we  had  to  do.” 

He  says  the  firm  also  laid  off  high-level 
network  administrators  first,  and  did 
not  allow  them  back  to  their  desks  to  get 
their  things. 

There  are  tools  to  allow  whole  disk 
encryption,  most  notably  from  PGP,  which 
is  particularly  useful  when  dealing  with  lap¬ 
tops.  Varonis  offers  a  tool  that  lets  compa¬ 
nies  control  who  has  access  to  which  data. 

But  for  things  like  preventing  salespeo¬ 
ple  from  taking  their  contact  lists  with  them 
when  they  leave  a  firm,  technology  only  goes 
so  far.  “I  don’t  know  of  a  solution  to  secure 
stuff  like  that  on  a  Windows  Mobile  device 
or  an  iPhone,”  Thunberg  says. 

In  the  end,  monitoring  and  auditing  data 
transfers  are  reactive  technologies.  At  best, 
if  employees  know  such  tools  are  in  use,  it 
may  deter  brazen  thefts. 

The  Aftermath 

Finally,  CSOs  need  to  rethink  their  func¬ 
tions  after  layoffs. 

“As  staff  get  assigned  other  duties,  secu¬ 
rity  is  less  likely  to  get  good  monitoring  and 
our  safeguard  procedures  and  processes 
are  less  likely  to  be  executed,”  says  Tony 
Lucich,  chief  information  security  offi¬ 
cer  and  enterprise  architect  for  County  of 
Orange,  Calif.  Lucich  says  that  IT  depart¬ 
ments  need  to  reprioritize  what  is  consid¬ 
ered  critical  because  fewer  people  will  be 
around  to  make  it  work. 


TIP:  Figure  out  which  hatches  you  can  actu¬ 
ally  still  batten,  and  close  all  the  others. 


That’s  echoed  by  Kodak’s  Jones.  He’s 
streamlining  by  looking  at  where  he  can 
reduce  the  number  of  suppliers  he  has, 
saving  time  and  potentially  money  as  well. 
For  instance,  Kodak  uses  Voltage  for  e-mail 
security,  but  has  other  vendors  provide 
software  for  things  like  Secure  FTP.  Jones 
says  he’s  considering  adopting  the  secure 
file  transfer  feature  of  Voltage. 

In  the  end,  Jones  says,  securely  han¬ 
dling  layoffs  means  more  than  just  the  pro¬ 
cess  itself.  “All  CSOs  need  to  think  beyond 
the  layoffs  and  think  about  how  to  operate 
effectively  with  a  smaller  team,”  he  says.  ■ 


Michael  Fitzgerald  is  a  freelance  writer  based 
outside  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 
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SCAMS 


Eight  Dirty 
Tricks:  Social 
Engineers’ 
Favorite 
Pick-Up  Lines 

WHAT  THE  AVERAGE  GUY  might  call  a 
con  is  known  in  the  security  world  as 
social  engineering.  Social  engineering 
is  the  criminal  art  of  scamming  a  person 
into  doing  something  or  divulging  sensi¬ 
tive  information.  These  days,  there  are 
thousands  of  ways  for  con  artists  to  pull 
off  their  tricks.  Here  we  look  at  some  of 
the  most  common  lines  these  people  are 
using  to  fool  their  victims.  =*>  -> 


illustration  by  Michael  Morgenstern  April  2009  www.esoonlinpj^W  ' 
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although  it  may  seem  archaic  now, 
it  is  still  a  handy  way  to  pull  off  a 
social  engineering  scam,  accord¬ 
ing  to  Chris  Nickerson,  founder  of 
Lares,  a  Colorado -based  security 
consultancy. 

Nickerson  says  scammers  often 
take  advantage  of  a  timely  event  to 
strike.  The  Downaup  worm  that 
is  currently  infecting  many  PCs  is 
a  good  example.  Nickerson’s  firm 
conducts  what  he  calls  “Red  Team 
Testing”  for  clients  using  tech¬ 
niques  that  involve  social  engi¬ 
neering  to  see  where  a  company  is 
vulnerable. 

“I  will  call  someone  and  say,  T’ve 
been  informed  that  you’ve  been 
infected  with  this  worm.’  And 
then  I  walk  them  through  a  bunch 
of  screens.  They  will  see  things 
like  registry  lines  and  start  to  get 
nervous  with  the  technicality  of  it. 
Eventually,  I  say  ‘Look,  why  don’t  I 
fix  this  for  you?  Give  me  your  pass¬ 
word  and  I  will  deal  with  it  and  call 
you  back  when  I  am  done.’” 

The  strategy  plays  on  a  person’s 
fear  and  lack  of  comfort  with  tech, 
says  Nickerson. 

“If  you  can  put  someone  in  a 
position  where  they  think  they  are 
in  trouble,  and  then  be  the  one  to 
fix  it,  you  automatically  gain  their 
trust.” 


write,”  he  says. 

Sophos,  which  tracks  cyber¬ 
crime  trends,  is  seeing  Facebook 
applications  that  install  adware, 
which  cause  pop-up  ads  to  appear 
on  a  user’s  screen.  The  other 
danger,  according  to  Cluley,  is  that 
installing  many  of  these  applica¬ 
tions  means  you  give  a  third-party 
access  to  your  personal  information 
on  your  profile. 

“Even  if  they  are  legitimate,  can 
you  trust  them  to  look  after  your 
data  properly?”  says  Cluley.  “A  lot 
of  these  applications  are  really 
jokey.  You  don’t  really  need  those. 
People  should  consider  carefully 
which  ones  they  choose  to  accept.” 


SOCIAL 

NETWORKING 

SCAMS 


“I’m  traveling  in  London 
and  I’ve  lost  my  wallet.  Can 
you  wire  some  money?” 

Social  networking  sites  have 
opened  a  whole  new  door  for  social 
engineering  scams,  according  to 
Graham  Cluley,  senior  technol¬ 
ogy  consultant  with  U.K. -based 
security  firm  Sophos.  One  of  the 
latest  involves  the  criminal  posing 
as  a  Facebook  “friend.”  They  send  a 
message  or  IM  on  Facebook  claim¬ 
ing  to  be  stuck  in  a  foreign  city  and 
they  say  they  need  money. 

“The  claim  is  often  that  they 
were  robbed  while  traveling  and 
the  person  asks  the  Facebook 
friend  to  wire  money  so  everything 
can  be  fixed,”  says  Cluley. 

One  can  never  be  certain  that 
the  person  they  are  talking  to  on 
Facebook  is  actually  the  real  person, 
he  notes.  Criminals  are  stealing 
passwords,  hacking  accounts  and 
posing  as  friends  for  financial  gain. 

“If  a  person  has  chosen  a  bad 
password  or  had  it  stolen  through 
malware,  it  is  easy  for  a  con  to  wear 
that  cloak  of  trustability,”  says 
Cluley.  “Once  you  have  access  to  a 
person’s  account,  you  can  see  who 
their  spouse  is,  where  they  went  on 
holiday  the  last  time.  It  is  easy  to 
pretend  to  be  someone  you  are  not.” 


“Did  you  see  this  video  of 
you?  Check  out  this  link!” 

Sophos  is  also  seeing  an 
increase  in  spam  on  Twitter,  the 
popular  social  network  where 
users  “Tweet”  quick  one-line  mes¬ 
sages  to  others  in  their  network. 

A  spam  campaign  on  Twitter 
in  recent  weeks  involved  a  Tweet 
that  said,  “Did  you  see  this  video 
of  you?” 

“If  you  think  the  link  is  from  a 
friend,  you  are  much  more  likely  to 
click  on  it,”  says  Cluley. 

Unfortunately,  users  who 
clicked  on  the  link  ended  up  at  a 
bogus  site  that  only  looked  like 
the  Twitter  website.  Once  there, 
unsuspecting  Twitterers  entered 
passwords,  which  then  ended  up  in 
the  hands  of  hackers. 


“Hi,  I’m  from  the  rep  from  Cisco 
and  I’m  here  to  see  Nancy.” 

Nickerson  recently  pulled  off 
a  successful  social  engineering 
exercise  for  a  client  by  wearing  a 
$4  Cisco  shirt  that  he  got  at  a  thrift 
store. 

Criminals  will  often  take  weeks 
and  months  getting  to  know  a  place 
before  even  coming  in  the  door. 
Posing  as  a  client  or  service  techni¬ 
cian  is  one  of  many  possibilities. 
Knowing  the  right  thing  to  say,  who 
to  ask  for  and  having  confidence 
are  often  all  it  takes  for  an  unau¬ 
thorized  person  to  gain  access  to  a 


“Someone  has  a  secret  crush 
on  you!  Download  this 
application  to  find  who  it  is!” 

Facebook  has  thousands  of 
applications  users  can  download. 
“Superpoke”  is  one  example  of  a 
popular  application  many  users 
download  to  enhance  their  Face- 
book  experience.  But  many  are  not 
trustworthy,  according  to  Cluley. 

“It  is  impossible  for  Facebook 
to  vet  all  of  the  applications  people 
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“This  is  Chris  from  tech 
services.  I’ve  been 
notified  of  an  infection 
on  your  computer.” 

Before  there  were  computers, 
e-mail,  Web  browsers  and  social 
network  sites  for  communica¬ 
tion,  there  was  the  phone.  And 
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facility,  according  to  Nickerson. 

Well,  cookies  can’t  hurt  either. 
Nickerson  says  he  always  brings 
cookies  when  he  is  trying  to  gain 
the  trust  of  an  office  staff.  In  fact, 
a  2007  diamond  heist  at  the  ABN 
Amro  Bank  in  Antwerp,  Belgium, 
involved  an  elderly  man  who 
offered  the  female  staff  choco¬ 
lates  and  eventually  gained  their 
trust  with  regular  visits  while 
he  pretended  to  be  a  successful 
businessman. 

“It  was  just  plain  old  chocolate,” 
says  Nickerson.  “Sweets  loosen 
everybody  up.” 

Ultimately  the  bank  lost  120,000 
carats  of  diamonds  because  the 
man  was  able  to  gain  enough  trust 
to  be  given  off-hours  access  to  the 
bank’s  vault. 

“Can  you  hold  the  door  for 
me?  I  don’t  have  my  key/ 
access  card  on  me.” 

In  the  same  exercise  where 
Nickerson  used  his  shirt  to  get  into 
a  building,  he  had  a  team  member 
wait  outside  near  the  smoking 
area  where  employees  often  went 
for  breaks.  Assuming  his  team 
member  was  simply  a  fellow  office¬ 
smoking  mate,  employees  let  him  in 


-Ml 


E  the  back  door  with  out  question. 

=  This  kind  of  thing  goes  on  all 

E  the  time,  according  to  Nickerson. 

E  The  tactic  is  also  known  as  tailgat- 
|  ing.  Many  people  just  don’t  ask 
E  others  to  prove  they  have  permis- 
|  sion  to  be  there.  But  even  in  places 
E  where  badges  or  other  proof  is 
E  required  to  roam  the  halls,  fakery  is 
E  easy,  he  says. 

“I  usually  use  some  high-end 
=  photography  to  print  up  badges  to 
E  really  look  like  I  am  supposed  to  be 
E  in  that  environment.  But  they  often 
E  don’t  even  get  checked.  I’ve  even 
E  worn  a  badge  that  says  right  on 
E  it  ‘Kick  me  out’  and  I  still  was  not 
E  questioned.” 

|  PHISHING  LURES 

|  “You  have  not  paid  for  the 
|  item  you  recently  won  on  eBay. 
|  Please  click  here  to  pay.” 

“We  see  e-mails  impersonating 
E  complaints  from  eBay  for  nonpay- 
|  ment  of  winning  bids,”  says  Shira 
E  Rubinoff  founder  of  Green  Armor 
i  Solutions,  a  security  software  firm 
E  in  Hackensack,  N.J.  “Many  people 
|  use  eBay,  and  users  often  bid  days 
E  before  a  purchase  is  complete.  So, 

E  it’s  not  unreasonable  for  a  person 


to  think  that  he  or  she  has  forgotten 
about  a  bid  they  made  a  week  prior.” 

Rubinoff,  who  was  once 
targeted  and  almost  fell  prey  to 
a  phishing  attack,  was  inspired 
to  found  Green  Armor  after  the 
|  incident.  She  says  this  kind  of  ploy 
plays  to  a  person’s  concerns  about 
negative  impact  on  their  eBay  score. 

“Since  people  spend  years 
building  an  eBay  feedback  score  or 
reputation,  people  react  quickly  to 
this  type  of  e-mail.  But,  of  course,  it 
leads  to  a  phishing  site.” 

Rubinoff  recommends  not 
clicking  on  any  e-mails  of  this  kind. 
Instead,  if  you  are  concerned  about 
something  like  your  eBay  score,  go 
=  to  eBay  directly  by  typing  the  URL 

|  into  the  browser  bar  on  your  own. 

|  “You’ve  been  let  go.  Click  here 
|  to  register  for  severance  pay.  “ 

With  the  economy  in  the  state 
E  it  is  in  now,  people  are  afraid  for 
|  their  jobs  and  criminals  are  tak- 
E  ing  advantage  of  that  fear,  says 

E  Rubinoff.  A  common  tactic  includes 
E  sending  an  e-mail  to  employees  that 
E  looks  like  it  is  from  the  employer. 

E  The  message  appears  to  relay  news 
E  that  requires  a  quick  response. 

E  “It  can  be  an  e-mail  that  appears 
E  to  be  from  HR  that  says:  ‘You  have 
E  been  let  go  due  to  a  layoff.  If  you 

|  wish  to  register  for  severance 
E  please  register  here,’  and  includes  a 
E  malicious  link.” 

E  No  one  wants  to  be  the  person 
|  that  causes  problems  in  this  econ- 
E  omy,  so  any  e-mail  that  appears 
i  to  be  from  an  employer  will  likely 

E  elicit  a  response,  notes  Rubinoff. 

E  Lares’  Nickerson  has  also  seen  cons 
E  that  use  fake  employer  e-mails. 

|  “It  might  say,  ‘In  an  effort  to  cut 
E  costs,  we  are  sending  W-2  forms 
|  electronically  this  year,”*  says 
E  Nickerson.  ■ 


=  Reach  Senior  Editor  Joan  Goodchild  at 
=  jgoodchild@cxo.com. 
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By  Anonymous 


Diary  of  a  Data  Breach  Investigation 

An  information  security  manager  shares  the  diary  he  kept 
while  investigating  a  possible  data  breach 


onday 

When  the  CISO  asks  to  speak 
to  you  with  that  look  on  his  face, 
you  know  the  news  isn’t  good. 
We  were  contacted  by  one  of  our 
third-party  vendors,  whom  we  had  hired  to 
do  analysis  on  our  website  traffic. 

It  appears  that  we  have  been  pass¬ 
ing  sensitive  information  to  them  over 
the  Internet.  This  sensitive  information 
included  data,  such  as  customer  names, 
addresses  and  credit  card  information. 
Because  we  are  a  public  company,  there  are 
many  regulatory  guidelines  that  we  have  to 
follow  like  Sarbanes-Oxley  (SOX)  and  the 
Payment  Card  Industry’s  (PCI)  data  secu¬ 
rity  standard. 

Fortunately  for  us,  our  vendor  has 
retained  a  copy  of  everything  that  we  have 
sent  to  them. 

Unfortunately  for  us,  it  was  six  months 
of  information  totaling  over  a  terabyte. 

Since  our  website  is  international,  the 
legal  department  needed  to  obtain  outside 
council  to  assist  us  in  this  matter.  It  will 
be  a  few  days  until  I  receive  the  data  from 
the  vendor. 

Thursday 

We  have  received  the  data  from  our  ven¬ 
dor  and  my  preliminary  analysis  is  not 
good.  It  appears  that  we  were  sending  the 
vendor  every  form  field  of  every  page  on 
our  website. 

After  speaking  with  the  product  team,  it 
appears  that  the  generator  of  the  data  is  a 
piece  of  third-party  code,  which  was  sup¬ 
plied  to  us  by  the  vendor  to  whom  we  were 
sending  the  data. 

The  first  question  that  I  asked  was  if  this 
code  was  reviewed,  which  I  was  promptly 
told,  “Yes!” 


The  code  was  reviewed  before  its  initial 
installation  almost  a  year  ago.  Even  though 
the  code  had  been  in  our  staging  and  pro¬ 
duction  environments  for  almost  a  year,  we 
have  only  been  sending  the  vendor  sensi¬ 
tive  information  for  the  last  six  months. 

I  asked  if  the  code  had  changed  at  all  in 
that  time,  and  I  was  told  “most  likely.”  The 
product  team  was  going  to  talk  to  devel¬ 
opment  to  get  me  a  list  of  all  changes  to 


the  code. 

The  data  is  massive  and  there  are  over  a 
billion  records  that  need  to  be  investigated. 
I  am  working  on  writing  a  small  data- min¬ 
ing  program  to  piece  it  all  together. 

Legal  wants  me  to  give  them  a  list  of 
every  single  person  that  is  affected  along 
with  their  location.  In  the  meantime,  they 
are  investigating  the  privacy  laws  of  every 
single  state  in  the  U.S.  as  well  as  several 
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other  countries  that  they  suspect  may  be 
contained  within  the  data. 

After  telling  legal  that  it  would  take 
me  six  weeks  to  gather  the  information 
they  required,  I  was  told  that  I  needed  to 
move  faster. 

It  seems  that  some  of  the  privacy  laws 
require  notification  within  a  certain  period 
of  time  after  the  discovery  of  the  incident. 

I  told  them  I  simply  don’t  have  the 
computing  power  to  give  them  what  they 
need  any  quicker.  I  was  authorized  to  pur¬ 
chase  several  machines  to  aid  in  the  data- 
mining  effort. 

Friday 

My  lab  machines  have  arrived  and  I  have 
been  provided  with  a  private  workspace 
in  which  to  work.  I  spent  almost  the  entire 
day  splitting  up  the  data,  and  I  am  prepar¬ 
ing  to  run  my  data-mining  program  over 
the  weekend. 

I  have  guessed  that  each  machine  will 
need  about  16  hours  of  processing  in  order 
to  complete.  I  will  have  to  monitor  the 
results  over  the  weekend  to  make  sure 
that  everything  completes  on  time.  Other 
than  getting  the  machines  to  work,  I  have 
been  in  many  meetings  with  the  legal 
department  where  the  terms  “data  breach” 
and  “customer  notification”  have  been 
thrown  around. 

I  immediately  started  to  think  about  all 
of  the  recent  news  regarding  companies 
and  data  breaches.  I  know  I  didn’t  want  my 
company  to  be  added  to  that  list. 

Monday 

I  met  with  the  legal  department  this  morn¬ 
ing  to  give  them  a  progress  update.  There 
were  roughly  10  million  entries  in  the 
data  that  contained  customers  and  their 
credit  card  information,  with  six  million 
being  unique. 

I  have  created  a  breakdown  of  all  of 
the  data  based  on  state  and  country,  and  it 
seems  that  we  may  have  to  look  at  privacy 
laws  in  almost  a  dozen  countries. 

The  product  team  got  back  to  me  and 
there  were  over  ten  changes  to  the  third- 
party  code  since  it  was  first  put  in  place. 
Unfortunately,  they  didn’t  get  around  to 
doing  a  code  review  on  any  version  after 
the  original. 

The  only  real  piece  of  good  news  that 
they  gave  me  was  that  all  connections  to 


our  vendor  were  done  over  SSL. 

At  least  this  data  did  not  go  over  the 
Internet  in  plain  text. 

I  will  give  this  one  piece  of  good  news 
to  the  legal  department  at  our  meeting 
later  today. 


Three  Weeks  Later 

Even  though  my  work  has  been  done  for 
several  weeks,  the  legal  department  con¬ 
tinued  to  deliberate  on  whether  or  not  to 
report  this  as  a  data  breach  to  the  custom¬ 
ers  that  were  affected. 

As  it  turns  out,  the  vendor  who  received 
the  data  had  relatively  good  procedures  in 
place  and  not  many  people  had  access  to 
our  data. 

We  were  able  to  account  for  everyone 
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We  may  have  dodged 
a  huge  bullet  on  this 
incident,  but  the 
required  legal  council, 
forensics  and  the 
time  everyone  spent 
working  on  it  cost  the 
company  over  $1 
million. 

who  may  have  accessed  the  data— and 
because  the  legal  department  feels  that  the 
data  never  left  our  control,  they  decided 
that  this  did  not  constitute  a  data  breach. 
An  outside  forensics  firm  confirmed  the 
data  never  left  a  controlled  environment. 

We  may  have  dodged  a  huge  bullet  on 
this  incident,  but  the  required  legal  council, 
forensics  and  the  time  everyone  spent  work¬ 
ing  on  it  cost  the  company  over  $1  million. 

Conclusion 

Where  did  we  go  wrong  here  and  how  could 
we  have  prevented  this? 

Both  of  these  were  questions  that  were 
asked  many  times  during  the  investigation. 
Of  course  it  is  easy  to  say  that  in  the  future 
we  will  never  run  third-party  code  on  our 
website,  but  how  realistic  is  that? 

Large  enterprises  run  third-party  code 
every  day  in  the  form  of  open-source  soft¬ 
ware,  and  we  are  no  exception. 

One  major  way  we  could  have  prevented 
this  incident  was  to  have  a  consistently  fol¬ 
lowed  SDLC  process  in  place. 

Code  review  is  a  major  piece  of  any 
SDLC  process,  as  is  output  validation. 
Someone  should  have  been  working  with 
the  vendor  every  time  there  was  a  software 
change  to  make  sure  that  they  were  seeing 
the  appropriate  data  and  nothing  more. 

Our  issue  should  have  been  easy  to  spot 
since  we  were  sending  much  more  than  the 
required  information. 

It’s  amazing  to  me  that  such  a  small  issue 
could  cost  a  company  so  much  money. 

I  shudder  to  think  about  how  much  this 
incident  would  have  cost  if  we  had  to  report 
it  publicly.  ■ 


The  author  is  an  information  security  manager 
fora  company  based  in  the  Chicago  area. 
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[  INDUSTRY  VIEW] 

Jeff  Prince,  ConSentry  Networks 


5  Things  You  Can’t  See 
on  Your  Network 

How  business  practices  have  changed  the  risky  activity  on  your  network 


Networks  today  are  blind.  As 
analyst  firms  such  as  Gart¬ 
ner  have  pointed  out,  IT 
doesn’t  really  know  which 
users  are  on  the  network. 
Similarly,  IT  knows  very  little  about  the 
application  traffic.  IT  relies  on  cryptic  tools 
to  stand  in  for  user  and  application  data, 
but  these  tools  can  rarely  be  used  to  tie  the 
information  back  to  real-time  traffic. 

But  changes  in  business  practices  have 
changed  the  risk  dramatically.  Organiza¬ 
tions  now  host  far  more  people,  many  of 
them  “outsiders”  just  visiting,  and  users 
bring  in  more  applications  all  the  time. 

Realistically,  businesses  need  these 
changes  for  the  productivity  gains  they 
enable.  The  key  is  for  IT  to  allow  these  fruit¬ 
ful  practices  without  compromising  the 
security  of  the  organization’s  digital  assets 
or  the  productivity  of  the  employees. 

What  kinds  of  risks  can  IT  avoid  by 
adding  identity  and  application  visibility 
and  control  to  the  network?  Here  are  just  a 
few  examples: 

Applications  (or  people)  behaving 
badly:  A  bank  was  under  the  impression 
that  teller  transactions  were  happening 
over  encrypted  tunnels  using  SSH.  After 
gaining  application  intelligence  in  the  net¬ 
work  and  watching  their  application  flows, 
they  noticed  huge  amounts  of  Telnet  ses¬ 
sions  and  tracked  them  back  to  the  tellers. 
They  learned  that  those  sensitive  transac¬ 
tions,  involving  customer  financial  and 
personal  data,  were  running  in  the  clear 
over  Telnet  rather  than  being  encrypted 
over  SSH. 

Who’s  visiting  which  sites:  Any  busi¬ 
ness  that  bills  clients  based  on  employee 
time  needs  to  make  sure  the  employees  are 
billing  appropriately.  A  call-center  com¬ 


pany  bills  by  time  needed  to  service  incom¬ 
ing  calls,  and  the  billing  cycle  initiates 
the  second  the  call  enters  the  call  center’s 
queue,  even  if  the  client’s  customers  have  to 
wait  on  hold.  A  study  of  top  applications  at 
one  call  center  revealed  extensive  access  to 
Web-based  gaming  sites.  Turns  out  playing 
these  games  was  delaying  some  employees 
from  answering  calls  quickly,  inappropri¬ 
ately  increasing  the  fees  charged  to  clients. 
By  tying  website  access  to  a  user  name, 
the  company  eliminated  this  time-waster 
and  returned  to  accurate  billing  for  its 
customers. 

With  only  IP 
addresses  to  keep 
tabs,  an  organi¬ 
zation  truly  has 
no  idea  about 
who  is  doing  what 
on  the  network. 

The  Port  80  problem:  People  typi¬ 
cally  use  this  term  to  describe  the  plethora 
of  applications  that  run  on  Port  80.  While 
those  flows  used  to  correspond  to  Web  surf¬ 
ing  traffic,  far  more  applications  use  that  Lq 
port  today.  Think  of  the  Oracle  application 
serviced  via  a  Web  browser,  or  CRM  appli¬ 
cations  using  cloud  computing  such  as 
Salesforce.com.  Knowing  something  is  Port 
80  actually  tells  you  very  little  now.  And  in 
fact,  assuming  what  application  is  running 
based  on  the  use  of  L4  port  can  actually 
leave  an  organization  at  risk.  Consider  the 
software  vendor  who  thought  they’d  suc¬ 
cessfully  shut  down  eDonkey  by  closing  its 


well-known  port  on  the  perimeter  firewall. 
Once  they  were  able  to  perform  detailed 
application  inspection  on  the  LAN,  they 
saw  eDonkey  was  still  widely  in  use,  put¬ 
ting  their  source  code  at  risk. 

IP  addresses  don’t  equate  to  users: 
Looking  for  IP  addresses  to  be  a  proxy  for 
users  can  similarly  put  an  organization 
at  risk.  IT  often  relies  on  spreadsheets  to 
track  addresses  and  tie  them  to  user  names. 
In  one  case,  a  company’s  spreadsheet  indi¬ 
cated  that  a  certain  IP  address  belonged  to 
a  switch  port,  and  so  that  port  was  grouped 
with  other  “management”  devices  and 
assigned  a  policy  to  use  only  relevant  man¬ 
agement  applications.  Imagine  the  confu¬ 
sion  when  policy  violations  abounded.  By 
looking  at  detailed  flows,  they  were  able 
to  identify  the  “sender”  as  a  user  and  not 
a  switch.  This  situation  could  easily  have 
created  the  possibility  for  duplicate  IP 
addresses  and  network  loops,  for  example, 
or  for  users  to  be  incorrectly  grouped  and 
accidentally  given  access  to  sensitive  finan¬ 
cial  data.  With  only  IP  addresses  to  keep 
tabs,  an  organization  truly  has  no  idea 
about  who  is  doing  what  on  the  network. 

Illegal  downloads:  Being  able  to  tie 
media  downloads  to  individuals  is  key 
not  only  to  retain  productivity  (and  server 
space!)  but  also  to  meet  compliance  needs. 
Any  organization  where  such  activity  is 
happening  ends  up  liable,  and  the  MPAA 
and  RIAA  are  adamant  about  enforcing 
copyright  violations.  Given  the  chance  to 
link  download  traffic  to  a  specific  user,  IT 
can  go  to  that  user  and  reiterate  the  Internet 
usage  policies,  possibly  saving  a  friend’s  job 
or  a  student’s  enrollment.  ■ 


Jeff  Prince  is  chairman  and  CTO  of  ConSentry 
Networks. 
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“I  am  fearless. 


I  am  CSO  for  a  major 
manufacturing  company. 

I  protect  more  than 
intellectual  property  and  plans 

I  secure  our  reputation. 

I  know  confidence 
drives  innovation. 


I  am  fearless 


Secure  Enterprise  Data.  Information  is  your  company’s  greatest  asset.  The  accidental  loss, 
manipulation  or  theft  of  data  is  your  greatest  risk.  RSA  can  help  minimize  that  risk  with  data  loss 
prevention  solutions  that  secure  sensitive  data  across  your  entire  IT  infrastructure. 

Because  the  more  confident  you  are  in  your  data,  the  more  confident  your  customers  are  in  you. 

Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/windsurf/cso 
Visit  us  at  the  RSA  Conference,  April  20-24,  2009,  San  Francisco  CA 


The  Security  Division  of  EMC 


Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  identities  Enterprise  Data  and  Security  Information 
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©2007-2009  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 
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5  Increasingly  Desperate  Measures 
for  Protecting  Yourself  from 
ID  Theft  During  Tax  Season 


1  Don’t  use  a 
professional 
preparation  tax 
service,  which  will 
allow  a  stranger 
to  see  your  data. 
Instead,  take  all 
your  paperwork  and 
spread  it  out  over  a 
couple  of  tables  at 
Paneraso  you  can 
do  it  yourself  while 
using  free  Wi-Fi. 


Keep  1099s  and 
other  sensitive 
documents  in  a 
safe.  You  can  keep 
the  combination 
handy  on  a  sticky 
note. 


If  filing  electroni¬ 
cally,  purchase  a 
new  PC,  harden 
the  operating 
system,  remove  all 
applications  except 
for  the  browser, 
disable  all  browser 
functions,  com¬ 
plete  and  file  the 
necessary  forms, 
then  immediately 
level-five  shred  the 
entire  PC. 


I  If  filing  by  mail, 
shred  your  1040 
form  BEFORE 
you  fill  it  out. 


I 


5  Don’t  file  at  all. 
(Note:  This  may 
or  may  not  affect 
your  future  pros¬ 
pects  for  working  in 
government) 
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Compliance  Reporting 

Provide  immediate  reports  to 
management  on  your  organization's 
compliance  posture  for  a  wide  variety 
of  standards  such  as  PCI  or  FDCC. 


Security  Monitoring 

Unify  real-time  user  and  network 
monitoring  data  with  in-depth 
vulnerability  and  configuration 
analysis  tools. 


IT  Auditing 

Monitor  USB  devices,  virtual  systems, 
running  and  installed  applications, 
sensitive  data  sharing  and  system 
configurations. 


TenableSecurity.com  ■  Nessus.org 


Network  Security 


wmmm 


CA  Security  Management  software  streamlines  your  IT  security 
environment  so  your  business  can  be  more  secure,  agile  and 
compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT. 

That's  the  power  of  lean. 

Learn  more  at  ca.com/security 


Visit  us  at  RSA  Conference,  April  20-24,  Booth  #1533 

:..k  '  v  . , .,7. 

Copyright  c  200§CA.  All  rights  reserved, 


